├── .gitattributes
├── .github
    └── workflows
    │   └── windows.yaml
├── .gitignore
├── Gopkg.lock
├── Gopkg.toml
├── LICENSE
├── Makefile
├── README.md
├── cmd
    ├── chunks.go
    ├── dumpevtx.go
    ├── extract_windows.go
    ├── lookup.go
    ├── parse.go
    └── watch.go
├── debug.go
├── docs
    └── evtx_format.md
├── evtx.go
├── fixtures
    ├── CAPI2_Operational.golden
    ├── Event4624_linux.golden
    └── Event4624_windows.golden
├── go.mod
├── go.sum
├── message_sets.go
├── messages.go
├── messages_database.go
├── messages_windows.go
├── normalize.go
├── parser_test.go
├── resolver.go
├── resolver_windows.go
├── testdata
    ├── Microsoft-Windows-CAPI2_Operational_EventID70.evtx
    ├── Security.evtx
    └── Security_1_record.evtx
└── utils.go


/.gitattributes:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/.gitattributes


--------------------------------------------------------------------------------
/.github/workflows/windows.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/.github/workflows/windows.yaml


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *~
2 | vendor/
3 | dumpevtx*


--------------------------------------------------------------------------------
/Gopkg.lock:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/Gopkg.lock


--------------------------------------------------------------------------------
/Gopkg.toml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/Gopkg.toml


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/LICENSE


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/Makefile


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/README.md


--------------------------------------------------------------------------------
/cmd/chunks.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/cmd/chunks.go


--------------------------------------------------------------------------------
/cmd/dumpevtx.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/cmd/dumpevtx.go


--------------------------------------------------------------------------------
/cmd/extract_windows.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/cmd/extract_windows.go


--------------------------------------------------------------------------------
/cmd/lookup.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/cmd/lookup.go


--------------------------------------------------------------------------------
/cmd/parse.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/cmd/parse.go


--------------------------------------------------------------------------------
/cmd/watch.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/cmd/watch.go


--------------------------------------------------------------------------------
/debug.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/debug.go


--------------------------------------------------------------------------------
/docs/evtx_format.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/docs/evtx_format.md


--------------------------------------------------------------------------------
/evtx.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/evtx.go


--------------------------------------------------------------------------------
/fixtures/CAPI2_Operational.golden:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/fixtures/CAPI2_Operational.golden


--------------------------------------------------------------------------------
/fixtures/Event4624_linux.golden:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/fixtures/Event4624_linux.golden


--------------------------------------------------------------------------------
/fixtures/Event4624_windows.golden:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/fixtures/Event4624_windows.golden


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/go.mod


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/go.sum


--------------------------------------------------------------------------------
/message_sets.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/message_sets.go


--------------------------------------------------------------------------------
/messages.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/messages.go


--------------------------------------------------------------------------------
/messages_database.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/messages_database.go


--------------------------------------------------------------------------------
/messages_windows.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/messages_windows.go


--------------------------------------------------------------------------------
/normalize.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/normalize.go


--------------------------------------------------------------------------------
/parser_test.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/parser_test.go


--------------------------------------------------------------------------------
/resolver.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/resolver.go


--------------------------------------------------------------------------------
/resolver_windows.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/resolver_windows.go


--------------------------------------------------------------------------------
/testdata/Microsoft-Windows-CAPI2_Operational_EventID70.evtx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/testdata/Microsoft-Windows-CAPI2_Operational_EventID70.evtx


--------------------------------------------------------------------------------
/testdata/Security.evtx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/testdata/Security.evtx


--------------------------------------------------------------------------------
/testdata/Security_1_record.evtx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/testdata/Security_1_record.evtx


--------------------------------------------------------------------------------
/utils.go:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Velocidex/evtx/HEAD/utils.go


--------------------------------------------------------------------------------