0 records read

[dlimanov]

Is there anything special I need to do to get it to understand the EVTX files from Win7 machine? Installed dependencies, all looks well but when I run it, I get this:

/event2timeline-master$ python event2timeline.py -e -f evt.evtx
[*] Reading EVTX file evt.evtx
0 records read
[*] Unique users: 5
[*] Mapped 38 sessions from 2012-11-07 21:36:06 to 2015-03-13 16:18:07

It creates evtdata.js in /timeline folder but nothing else. Am I missing something obvious?
Thanks!

[tomchop]

That's actually the expected behavior (except for the 0 records read, it can happen if you have less than 2000 events to process, see this line).

Have you tried opening timeline-sessions.html in the /timeline folder in your browser? It should be displaying the timeline correctly.

[dlimanov]

Hi Thomas,
Thank you for for replying. Problem is there is no html generated in the /timeline folder. There's a single JS file that contains all events but nothing else..

On Mar 15, 2015, at 7:50 AM, Thomas Chopitea notifications@github.com wrote:

That's actually the expected behavior (except for the 0 records read, it can happen if you have less than 2000 events to process, see this line).

Have you tried opening timeline-sessions.html in the /timeline folder in your browser? It should be displaying the timeline correctly.

—
Reply to this email directly or view it on GitHub.

[tomchop]

The HTML file isn't generated by the script, it's already there when you clone the repo: https://github.com/certsocietegenerale/event2timeline/tree/master/timeline

[dlimanov]

Ok, so I started from scratch, deleted everything and pulled in a fresh version of the repo, fed it a new evtx file:

event2timeline-master$ python event2timeline.py -e -f ~/Desktop/evt.evtx
[] Reading EVTX file /Desktop/evt.evtx
0 records read
[] Unique users: 5
[*] Mapped 38 sessions from 2012-11-07 21:36:06 to 2015-03-13 16:18:07

I now have the following two files in /timeline folder:

event2timeline-master/timeline$ ls
d3.v2.js  timeline-sessions.html

However when I try to open timeline-sessions.html, it renders an empty page in Firefox. Is this because there is not enough sessions in the evtx file?

From: Thomas Chopitea notifications@github.com
Reply: certsocietegenerale/event2timeline reply@reply.github.com>
Date: March 15, 2015 at 10:02:59 AM
To: certsocietegenerale/event2timeline event2timeline@noreply.github.com>
Cc: dlimanov dlimanov@gmail.com>
Subject:  Re: [event2timeline] 0 records read (#2)

The HTML file isn't generated by the script, it's already there when you clone the repo: https://github.com/certsocietegenerale/event2timeline/tree/master/timeline

—
Reply to this email directly or view it on GitHub.

[tomchop]

That's strange, the script should generate a evtdata.js file in the /timeline folder. Did it generate an evtdata.js file anywhere? If you can share the evtx file, I'll happily run some tests locally tomorrow.

[dlimanov]

Hi Thomas,
evtdata.js does not seem to be created anywhere. Here’s a link to evtx file, let me know if you can’t get to it:
https://drive.google.com/file/d/0B1yDJY-W7MEnSkFHSEtPTUl2VGM/view?usp=sharing

Thanks!

From: Thomas Chopitea notifications@github.com
Reply: certsocietegenerale/event2timeline reply@reply.github.com>
Date: March 15, 2015 at 6:55:22 PM
To: certsocietegenerale/event2timeline event2timeline@noreply.github.com>
Cc: dlimanov dlimanov@gmail.com>
Subject:  Re: [event2timeline] 0 records read (#2)

That's strange, the script should generate a evtdata.js file in the /timeline folder. Did it generate an evtdata.js file anywhere? If you can share the evtx file, I'll happily run some tests locally tomorrow.

—
Reply to this email directly or view it on GitHub.