joswr1ght/evtxResourceIDGaps.py

## evtxResourceIDGaps.py
from xml.etree import ElementTree
import sys

first=True
eventrecordid=None
lasttime=None
latesttime=None

if (len(sys.argv) != 2):
    print("Read from the dump_evtx XML output, identifying gaps in EventRecordID values")
    print("that could indicate deleted logging entries.\n")
    print("Usage: %s <eventlog.xml>"%sys.argv[0])
    sys.exit(1)

with open(sys.argv[1], 'rt') as f:
    tree = ElementTree.parse(f)

for node in tree.iter():
    if "TimeCreated" in node.tag:
        if (first):
            lastime=node.attrib["SystemTime"]
            continue
        latesttime=node.attrib["SystemTime"]
    if "EventRecordID" in node.tag:
        if (first):
            eventrecordid=int(node.text)
            first=False
            continue
        else:
            if int(node.text) > eventrecordid+1:
                print("="*4,"Gap between EventRecordID %d and %d (%s and %s)"%(eventrecordid, int(node.text), lasttime, latesttime))
            eventrecordid=int(node.text)
            lasttime=latesttime
	from xml.etree import ElementTree
	import sys

	first=True
	eventrecordid=None
	lasttime=None
	latesttime=None

	if (len(sys.argv) != 2):
	print("Read from the dump_evtx XML output, identifying gaps in EventRecordID values")
	print("that could indicate deleted logging entries.\n")
	print("Usage: %s <eventlog.xml>"%sys.argv[0])
	sys.exit(1)

	with open(sys.argv[1], 'rt') as f:
	tree = ElementTree.parse(f)

	for node in tree.iter():
	if "TimeCreated" in node.tag:
	if (first):
	lastime=node.attrib["SystemTime"]
	continue
	latesttime=node.attrib["SystemTime"]
	if "EventRecordID" in node.tag:
	if (first):
	eventrecordid=int(node.text)
	first=False
	continue
	else:
	if int(node.text) > eventrecordid+1:
	print("="*4,"Gap between EventRecordID %d and %d (%s and %s)"%(eventrecordid, int(node.text), lasttime, latesttime))
	eventrecordid=int(node.text)
	lasttime=latesttime