Interrogating logs using X-Ways and HEX? â€“ any suggestions..
Hi Guys, Gals.
I am conducting some research into the domlog.nsf file that is stored in the data folder of the Lotus Notes folder from Lotus v4.6.2a.
The log file consists of the following type of records.
Date 18/12/2006 222757
User Address 255.255.255.255
Authenticated User j bloggs
Content Length 1072
Content Type image/gif
Request GET /mail/jbloggs.nsf/$icon?OpenIcon HTTP/1.1
Browser Used Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referring URL http//www.domain.com/mail/jbloggs.nsf
Server Address 255.255.255.255
Elapse Time (ms) 15
I have searched for the above data in X-Ways and can see that the following characters always appear + - / when a transaction is logged. Although these characters do not appear to be a header, it was something to search by to find any other transactions in allocated or unallocated. XWays pulled back just over 6000 records which is good.
However, the bit I am strugerling with is determining if the timestamp can be associated to any part of the hex.
I can send anyone a snap shot of the hex if they are interested
I'll try and get some interest started in this )
Are you asking about how the timestamp would be converted into HEX? From past experience time and dates (when saved into documents) are usually saved in their original ASCII format which is *then* converted to HEX, but a fairly basic file editor would usually show HEX and ASCII previews side by side for comparison.
If you want to search for dates and times in a file my advice would be to create a simple script (something like Perl or C++ would be ideal - I've no idea about X-Ways though) that would search for the pattern as it appears in the file, which might be (for a date as an example)
two sequential HEX codes that relate to the ASCII symbols for numbers
the HEX equivalent of the ASCII equivalent of a colon
two sequential HEX codes between XX and XX
and so on.
Does that help? Are you familiar with pattern matching scripts?