Difference between pages "Windows XML Event Log (EVTX)" and "Libqcow"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(File Format)
 
(External Links)
 
Line 1: Line 1:
{{expand}}
+
{{Infobox_Software |
 +
  name = libqcow |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/libqcow/ code.google.com/p/libqcow] |
 +
}}
  
The Windows XML Event Log (EVTX) format was introduces in [[Windows|Windows Vista]] as a replacement for the [[Windows Event Log (EVT)]] format.
+
The '''libqcow''' package contains a library and applications to read the [[QCOW_Image_Format | QEMU Copy-On-Write (QCOW) image]] format.
  
== Event Viewer ==
+
== Tools ==  
On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both "general view" (or formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view.
+
The '''libqcow''' package contains the following tools:
 +
* '''qcowinfo''', which shows the information about QCOW files.
 +
* '''qcowmount''', which FUSE mounts QCOW image files.
  
If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named:
+
== Examples ==
 +
 
 +
FUSE mounting a QCOW image (libqcow 20111009 or later)
 
<pre>
 
<pre>
LocaleMetaData\%FILENAME%_%LCID%.MTA
+
qcowmount image.qcow mount_point
 
</pre>
 
</pre>
  
Where LCID is the "locale identifier" [http://msdn.microsoft.com/en-us/goglobal/bb964664.aspx].
+
== History ==
  
== See Also ==
+
Libqcow was created by [[Joachim Metz]] in 2010.
* [[Windows Event Log (EVT)]]
+
 
* [[Windows]]
+
== Also See ==
 +
[[QCOW_Image_Format | QEMU Copy-On-Write (QCOW) image format]]
  
 
== External Links ==
 
== External Links ==
=== File Format ===
+
* [https://code.google.com/p/libqcow/ Project site]
* [http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx EventLog Remoting Protocol Version 6.0 Specification], by [[Microsoft]]
+
* [https://code.google.com/p/libqcow/wiki/Building Building libqcow and tools from source]
* [http://msdn.microsoft.com/en-us/library/cc231354.aspx Simple BinXml Example], by [[Microsoft]]
+
* [https://code.google.com/p/libqcow/wiki/Mounting Mounting a QCOW image]
* [http://computer.forensikblog.de/mt/mt-search.cgi?IncludeBlogs=3&tag=Evtx&limit=20 int for(ensic){blog;} - results tagged Evtx], by [[Andreas Schuster]]
+
* [http://www.dfrws.org/2007/proceedings/p65-schuster_pres.pdf Introducing the Microsoft Vista Event Log File Format], by [[Andreas Schuster]], in 2007
+
* [http://computer.forensikblog.de/en/2010/10/linking-event-messages-and-resource-dlls.html Linking Event Messages and Resource DLLs], by [[Andreas Schuster]], in 2010
+
* [https://googledrive.com/host/0B3fBvzttpiiSRnQ0SExzX3JjdFE/Windows%20XML%20Event%20Log%20(EVTX).pdf Windows XML Event Log (EVTX) format], by the [[libevtx|libevtx project]]
+
 
+
=== Event Identifiers ===
+
* [http://eventid.net/ EventID.net]
+
 
+
=== Windows Vista/2008 ===
+
* [http://support.microsoft.com/kb/947226 Description of security events in Windows Vista and in Windows Server 2008]
+
 
+
=== Windows 7 ===
+
* [http://msdn.microsoft.com/en-us/magazine/ee412263.aspx Core OS Events in Windows 7, Part 1]
+
* [http://msdn.microsoft.com/en-us/magazine/ee358703.aspx Core Instrumentation Events in Windows 7, Part 2]
+
 
+
== Tools ==
+
* [http://computer.forensikblog.de/files/evtx/Parse-Evtx-current.zip Evtx Parser]
+
* [[libevtx]]
+
* [[log2timeline]]
+
* [http://technet.microsoft.com/en-us/library/cc749339.aspx wevtutil]
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=24659 LogParser]
+
* [http://www.williballenthin.com/evtx/ python-evtx]
+
 
+
[[Category:File Formats]]
+

Revision as of 00:29, 15 July 2013

libqcow
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libqcow

The libqcow package contains a library and applications to read the QEMU Copy-On-Write (QCOW) image format.

Tools

The libqcow package contains the following tools:

  • qcowinfo, which shows the information about QCOW files.
  • qcowmount, which FUSE mounts QCOW image files.

Examples

FUSE mounting a QCOW image (libqcow 20111009 or later)

qcowmount image.qcow mount_point

History

Libqcow was created by Joachim Metz in 2010.

Also See

QEMU Copy-On-Write (QCOW) image format

External Links