EVTX ツール比較: KAPE / FTK Imager / wevtutil / evtx_dump

A Rust EVTX parser ( omerbenamram/evtx) compiled to WebAssembly and run in a Web Worker — the same parser used by SANS and CCDC blue teams when they need a non-Windows parser. Files never leave the browser; useful when you're working on a host you don't own (a customer laptop, a forensic image you can't export) or when standing up tooling on a fresh workstation would take longer than the triage.

Best for: one .evtx, one analyst, no install. Limited to what one browser tab can hold in memory; for >1 GB collections, prefer evtx_dump.

The default first move on most engagements: KAPE's Targets define what to copy (the EventLogs target pulls all winevt\Logs\*.evtx in one pass with chain-of-custody metadata), and its Modules run downstream parsers (Eric Zimmerman's EvtxECmd, RECmd, etc.) against the collected data. Designed to run from removable media against a live system, including locked files.

Best for: live-host collection where you need forensically-sound copies plus immediate parsing. Not Linux/macOS-friendly. The community config repo (EricZimmerman/KapeFiles) is where you get most of the practical targets.

The classic free GUI for full-disk imaging (E01, RAW, AFF) and for pulling specific files out of a mounted or live system. Reads locked system files (including the live winevt\Logs\Security.evtx) because it talks to the volume below the file lock. Use it when you need a verifiable disk image, not just artifact copies.

Best for: court-admissible disk images, or pulling a single locked file off a live host. Not a parser — feed the output into KAPE/EvtxECmd or this site.

Microsoft's built-in CLI for the event log. The two commands you'll actually use: wevtutil epl Security C:\out\Security.evtx (export a live channel to a portable file) and wevtutil qe Security /c:100 /rd:true /f:xml (dump records as XML for piping into a parser). Available on every supported Windows version, no install.

Best for: scripted live-host collection where you can't drop binaries on the system. Limited filtering syntax (XPath 1.0 subset) and slow on large channels.

The Rust parser the EVTX format actually deserved. evtx_dump --json file.evtx emits one JSON document per record; pipe into jq, ripgrep, or your SIEM ingestion path. Multi-threaded, deterministic, handles partial / corrupt chunks gracefully. The same code that powers this site's in-browser parser.

Best for: ingesting many .evtx into a pipeline, or for one-off triage on Linux/macOS. No GUI, no built-in dashboard — bring your own tooling for filtering and pivoting.

Willi Ballenthin's pure-Python EVTX parser. Slower than evtx_dump, but trivial to embed in a Jupyter notebook and to extend for unusual analyses (custom event-data field extraction, cross-channel correlation). The reference Python implementation for the format spec.

Best for: bespoke analysis in Python. Performance-bound on large datasets — prefer evtx_dump for high-throughput work.

A tiny, portable Windows utility that copies files directly through NTFS internals, bypassing the file lock that prevents normal copy on live event logs. Useful when you only have shell access on a host and can't deploy KAPE or FTK Imager.

Best for: minimum-footprint live-system copies. Windows only; no parsing — feed the output into a real parser.

The MMC snap-in. Fine for clicking through a few records on a live server during a tactical investigation, but slow on million-record channels, awkward to filter, and unable to load .evtx from an air-gapped Linux/Mac. Useful as the final ground-truth renderer (it knows every provider's message manifest); not useful as an investigation surface.

Best for: confirming a single record's full rendered message text on a live host. Almost any other workflow is faster in another tool.