igevtx

module

v0.0.0-...-0908972 Latest Latest Go to latest Published: May 12, 2019 License: BSD-3-Clause

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/2igosha/igevtx

Links

Open Source Insights

README ¶

igevtx

Windows EVTX file format parser: an experiment in Go

Sources:

go get github.com/2igosha/igevtx/dump_evtx

Usage:

dump_evtx list_of_evtx_filenames

The parser is wrapped in a package and can be used with a callback function:

import (
	"github.com/2igosha/igevtx/igevtx"
	...
	)
func printEvent(t time.Time, num uint64, variable map[string]string) {
	fmt.Fprintf(out, "Record #%d %04d-%02d-%02dT%02d:%02d:%02dZ ", num, t.Year(), t.Month(), t.Day(), t.Hour(), t.Minute(), t.Second())
	for n, v := range variable {
		fmt.Fprintf(out, "%s:%s,", n, normalizeNl(v))
	}
	fmt.Fprintf(out, "\n")
}
func main() {
	for _, fname := range os.Args[1:] {
		err := igevtx.ParseEvtx(fname, printEvent)
		if err != nil {
			fmt.Printf("parseEvtx(%s) : %v\n", fname, err)
			os.Exit(2)
		}
	}

Directories ¶

Path	Synopsis
dump_evtx Dump the contents of EVTX files in readable format.	Dump the contents of EVTX files in readable format.
igevtx Parse the contents of the EVTX files.	Parse the contents of the EVTX files.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL