NAME
grokevt-findlogs - Attempts to find log file fragments in raw binary
files, such as memory dumps and disk images.
SYNOPSIS
grokevt-findlogs -? .PP grokevt-findlogs [-v] [-h] [-H] [-o offset]
raw-file .SH DESCRIPTION grokevt-findlogs searches a raw binary file
for event log records. It produces a simple comma-separated values
(CSV) output to stdout which includes metadata and offsets of any hits.
Using the metadata and offset/contiguity information, it should be easy
to determine if the hits are false positives or not.
ARGUMENTS
raw-file
The binary file to be searched.
OPTIONS
-? Prints a basic usage statement.
-v Verbose mode. Prints status messages to stderr, which can be
helpful for debugging. (Currently does nothing.)
-h Prints a header row at the top of the CSV output containing
labels for each column. (This is the default behavior.)
-H Disables the printing of a header row. This is useful when
grokevt-findlogs is used in a script.
-o offset
Begin search at this byte offset within the binary file.
BUGS
Probably a few. This script has not been extensively tested with some
guest platforms.
There are likely some speed improvements that could be made.
CREDITS
Written by Timothy D. Morgan
Copyright (C) 2006-2007 Timothy D. Morgan
LICENSE
Please see the file "LICENSE" included with this software distribution.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License version 2 for more details.
SEE ALSO
grokevt(7) grokevt-addlog(1) grokevt-builddb(1) grokevt-dumpmsgs(1)
grokevt-parselog(1) grokevt-ripdll(1)