EVTX-Tools im Vergleich: KAPE, FTK Imager, wevtutil, evtx_dump
Vergleich der Tools, die Analysten beim Arbeiten mit dem Windows-Ereignisprotokoll nutzen — was jedes wirklich gut kann, was es kostet und wo es scheitert.
EVTX-Tools im Vergleich: KAPE, FTK Imager, wevtutil, evtx_dump
| Tool | Plattform | Hauptanwendung | Lizenz |
|---|---|---|---|
| EVTX parser (this site) | Browser (any OS) | Ad-hoc triage of a single .evtx without a Windows host | Free, MIT-licensed parser core |
| KAPE (Kroll Artifact Parser and Extractor) | Windows | Live-host artifact collection (then parsing) at IR scale | Free for non-commercial; paid for commercial use |
| FTK Imager | Windows | Disk imaging + targeted file export from live or mounted volumes | Free (registration required) |
| wevtutil | Windows (built-in) | Local enumeration, channel export, XML dump on a live host | Free (Windows component) |
| evtx_dump (omerbenamram/evtx) | Linux, macOS, Windows | Cross-platform CLI parser for batch / pipeline use | MIT |
| python-evtx (libyal) | Linux, macOS, Windows (Python ≥3.7) | Programmatic parsing inside Python investigation notebooks | Apache 2.0 |
| RawCopy | Windows | Copy locked system files (including live .evtx) on Windows | Open source (no formal license) |
| Event Viewer (built-in) | Windows (built-in) | Manual browsing on a live host | Free (Windows component) |
EVTX parser (this site) ↗
A Rust EVTX parser ( omerbenamram/evtx) compiled to WebAssembly and run in a Web Worker — the same parser used by SANS and CCDC blue teams when they need a non-Windows parser. Files never leave the browser; useful when you're working on a host you don't own (a customer laptop, a forensic image you can't export) or when standing up tooling on a fresh workstation would take longer than the triage.
Best for: one .evtx, one analyst, no install. Limited to what one browser tab can hold in memory; for >1 GB collections, prefer evtx_dump.
KAPE (Kroll Artifact Parser and Extractor) ↗
The default first move on most engagements: KAPE's Targets define what to copy (the EventLogs target pulls all winevt\Logs\*.evtx in one pass with chain-of-custody metadata), and its Modules run downstream parsers (Eric Zimmerman's EvtxECmd, RECmd, etc.) against the collected data. Designed to run from removable media against a live system, including locked files.
Best for: live-host collection where you need forensically-sound copies plus immediate parsing. Not Linux/macOS-friendly. The community config repo (EricZimmerman/KapeFiles) is where you get most of the practical targets.
FTK Imager ↗
The classic free GUI for full-disk imaging (E01, RAW, AFF) and for pulling specific files out of a mounted or live system. Reads locked system files (including the live winevt\Logs\Security.evtx) because it talks to the volume below the file lock. Use it when you need a verifiable disk image, not just artifact copies.
Best for: court-admissible disk images, or pulling a single locked file off a live host. Not a parser — feed the output into KAPE/EvtxECmd or this site.
wevtutil ↗
Microsoft's built-in CLI for the event log. The two commands you'll actually use: wevtutil epl Security C:\out\Security.evtx (export a live channel to a portable file) and wevtutil qe Security /c:100 /rd:true /f:xml (dump records as XML for piping into a parser). Available on every supported Windows version, no install.
Best for: scripted live-host collection where you can't drop binaries on the system. Limited filtering syntax (XPath 1.0 subset) and slow on large channels.
evtx_dump (omerbenamram/evtx) ↗
The Rust parser the EVTX format actually deserved. evtx_dump --json file.evtx emits one JSON document per record; pipe into jq, ripgrep, or your SIEM ingestion path. Multi-threaded, deterministic, handles partial / corrupt chunks gracefully. The same code that powers this site's in-browser parser.
Best for: ingesting many .evtx into a pipeline, or for one-off triage on Linux/macOS. No GUI, no built-in dashboard — bring your own tooling for filtering and pivoting.
python-evtx (libyal) ↗
Willi Ballenthin's pure-Python EVTX parser. Slower than evtx_dump, but trivial to embed in a Jupyter notebook and to extend for unusual analyses (custom event-data field extraction, cross-channel correlation). The reference Python implementation for the format spec.
Best for: bespoke analysis in Python. Performance-bound on large datasets — prefer evtx_dump for high-throughput work.
RawCopy ↗
A tiny, portable Windows utility that copies files directly through NTFS internals, bypassing the file lock that prevents normal copy on live event logs. Useful when you only have shell access on a host and can't deploy KAPE or FTK Imager.
Best for: minimum-footprint live-system copies. Windows only; no parsing — feed the output into a real parser.
Event Viewer (built-in) ↗
The MMC snap-in. Fine for clicking through a few records on a live server during a tactical investigation, but slow on million-record channels, awkward to filter, and unable to load .evtx from an air-gapped Linux/Mac. Useful as the final ground-truth renderer (it knows every provider's message manifest); not useful as an investigation surface.
Best for: confirming a single record's full rendered message text on a live host. Almost any other workflow is faster in another tool.