Yaro
Yaro
Definition in following file: https://github.com/Velocidex/evtx/blob/1fdf8be7325e21cc7b9d83b2bae198a98267f4c1/evtx.go#L67 miss one field: `ChunkCount uint16` after: `HeaderBlockSize uint16` it also makes `FileFlags `and `CheckSum `unusable. Sample sources of Evtx Headers: https://github.com/cgsecurity/testdisk/blob/261c73bb72273e2a16fb06eebfea2c1892a341f3/src/file_evtx.c#L45 https://github.com/williballenthin/python-evtx/blob/cadd06bce3876ed9907deacb0bb3e65b191eef49/Evtx/Evtx.py#L145 
We are using Velociraptor with custom "complex" VQL plugins over 2 years. Target machines: Windows Velociraptor version (current): 0.7.1-2 But often we observe client crashes (Agent version = same as...
https://github.com/att/docker-forensics/blob/d50c444d59855e46ec5778942d0cad00cf722c75/mac-robber.py#L131 Traceback: ``` (... more data ...) 0|/etc/ld.so.conf|786616|-rw-rw-r--|0|0|34|1734440793.017330|1608116695.000000|1697471167.713379|1697471167.713379 0|/etc/rsyslog.conf|786654|-rw-rw-r--|0|0|1382|1734436377.488000|1640302499.000000|1697471167.721380|1697471167.721380 0|/etc/inputrc|786609|-rw-rw-r--|0|0|1748|1734679563.963715|1641486414.000000|1697471167.709378|1697471167.709378 0|/etc/magic.mime|786629|-rw-rw-r--|0|0|111|1697522640.364750|1648141629.000000|1697471167.713379|1697471167.713379 0|/etc/ethertypes|786596|-rw-rw-r--|0|0|1816|1577407331.000000|1577407331.000000|1697471167.705378|1697471167.705378 Traceback (most recent call last): File "/root/docker/mac-robber/orig/mac-robber.py", line 221, in outstr = process_item(dirpath, filename) File "/root/docker/mac-robber/orig/mac-robber.py", line 131,...
Related issue for this library: https://github.com/att/docker-forensics/issues/2