NAME

grokevt-findlogs - Attempts to find log file fragments in raw binary files, such as memory dumps and disk images.

SYNOPSIS

grokevt-findlogs -?

grokevt-findlogs [-v] [-h] [-H] [-o offset] raw-file

DESCRIPTION

grokevt-findlogs searches a raw binary file for event log records. It produces a simple comma-separated values (CSV) output to stdout which includes metadata and offsets of any hits. Using the metadata and offset/contiguity information, it should be easy to determine if the hits are false positives or not.

ARGUMENTS

raw-file

The binary file to be searched.

OPTIONS

-?

Prints a basic usage statement.

-v

Verbose mode. Prints status messages to stderr, which can be helpful for debugging. (Currently does nothing.)

-h

Prints a header row at the top of the CSV output containing labels for each column. (This is the default behavior.)

-H

Disables the printing of a header row. This is useful when grokevt-findlogs is used in a script.

-o offset

Begin search at this byte offset within the binary file.

BUGS

Probably a few. This script has not been extensively tested with some guest platforms.

There are likely some speed improvements that could be made.

CREDITS

Written by Timothy D. Morgan

LICENSE

Please see the file "LICENSE" included with this software distribution.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for more details.

SEE ALSO

grokevt(7) grokevt-addlog(1) grokevt-builddb(1) grokevt-dumpmsgs(1) grokevt-parselog(1) grokevt-ripdll(1)