Packages and Binaries:

grokevt

GrokEVT is a collection of scripts built for reading Microsoft Windows NT/2000/XP/2003 event log files.

Currently the scripts work together on one or more mounted Microsoft Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.

This program is useful in forensics investigations.

Installed size: 121 KB
How to install: sudo apt install grokevt

Dependencies:

python3
python3-pyregfi
reglookup

grokevt-addlog

A tool for adding a raw event log to an existing GrokEVT database.

[email protected]:~# grokevt-addlog -h
USAGE:
  /usr/bin/grokevt-addlog <DATABASE_DIR> <EVT_FILE> <NEW_TYPE> <BASE_TYPE>

This script takes a raw Windows event log and adds it to a
previously built database generated by grokevt-builddb.
See the man page for more details.

grokevt-builddb

Builds a database tree based on a single windows system for the purpose of event log conversion.

[email protected]:~# grokevt-builddb -h
USAGE:
  grokevt-builddb [-v] [-c CSID] <CONFIG_PROFILE> <OUTPUT_DIR>

grokevt-builddb builds a database tree based on a
single windows system for the purpose of event log
conversion.  Please see the man page for more
information.
ERROR: Requires at least 2 arguments.

grokevt-dumpmsgs

A tool for dumping the contents of message databases built previously by grokevt-ripdll(1).

[email protected]:~# man grokevt-dumpmsgs
grokevt-dumpmsgs(1)                                        grokevt-dumpmsgs(1)

NAME
       grokevt-dumpmsgs - A tool for dumping the contents of message databases
       built previously by grokevt-ripdll(1).

SYNOPSIS
       grokevt-dumpmsgs message-db1 [message-db2 ...]

DESCRIPTION
       grokevt-dumpmsgs takes one or more message databases  previously  built
       with  grokevt-ripdll(1)  and  prints out all entries to stdout. This is
       mainly a debugging tool, but may be useful for  analyzing  the  message
       contents of PE files while developing other applications.

ARGUMENTS
       grokevt-dumpmsgs uses the following arguments:

       message-dbN
              If multiple message databases are supplied, entries of all data-
              bases are printed to stdout in the order they are provided.

OUTOUT
       grokevt-dumpmsgs prints each database entry out on a  single  line,  in
       two  comma-separated columns. The first column is the message ID, which
       is in the format:

                 XXXX-YYYYYYYY

       Here, XXXX represents the message's language  code,  and  the  YYYYYYYY
       represents the message's relative virtual address (RVA) within the mes-
       sage block of the PE file.  The second column contains the message  it-
       self.  Messages containing special characters (such as newlines or com-
       mas) are encoded in the same manner  that  grokevt-parselog(1)  encodes
       them ("%XX" where XX is the hexadecimal value of the character).

BUGS
       Probably  several.  This  particular  script  has  not been extensively
       tested.

CREDITS
       Written by Timothy D. Morgan.

LICENSE
       Please see the file "LICENSE" included with this software distribution.

       This program is distributed in the hope that it  will  be  useful,  but
       WITHOUT  ANY  WARRANTY;  without  even  the  implied  warranty  of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  GNU  General
       Public License version 3 for more details.

SEE ALSO
       grokevt(7)   grokevt-addlog(1)  grokevt-builddb(1)  grokevt-findlogs(1)
       grokevt-parselog(1) grokevt-ripdll(1)

File Conversion Utilities        20 June 2011              grokevt-dumpmsgs(1)

grokevt-findlogs

Attempts to find log file fragments in raw binary files, such as memory dumps and disk images.

[email protected]:~# grokevt-findlogs --help
USAGE:
  grokevt-findlogs -?
  grokevt-findlogs [-v] [-h] [-H] [-o <OFFSET>] <RAW_FILE>

grokevt-findlogs attempts to find log file fragments in raw
binary files, such as memory dumps and disk images.
Please see the man page for more information.

grokevt-parselog

Parse a windows event log and generate human-readable output based on message resources stored in a database.

[email protected]:~# grokevt-parselog -h
USAGE:
  grokevt-parselog -?|--help
  grokevt-parselog -l <DATABASE_DIR>
  grokevt-parselog -m <DATABASE_DIR> <LOG_TYPE>
  grokevt-parselog [-v] [-H] [-h] <DATABASE_DIR> <LOG_TYPE>

This program parses a windows event log and prints a
CSV version of the log to stdout.  Please see the man
page for more information.

grokevt-ripdll

A tool for extracting message resources from a PE-formatted file.

[email protected]:~# grokevt-ripdll -h
USAGE:
  grokevt-ripdll <INPUT_DLL> <OUTPUT_DB>

grokevt-ripdll is a tool for extracting message resources from a PE-formatted file.
Please see the man page for more information.

Updated on: 2023-Mar-08

Edit this page

gr-osmosdr gss-ntlmssp