Difference between pages "Windows XML Event Log (EVTX)" and "VMWare Virtual Disk Format (VMDK)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(Descriptor file)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
The Windows XML Event Log (EVTX) format was introduces in [[Windows|Windows Vista]] as a replacement for the [[Windows Event Log (EVT)]] format.
+
== Image types ==
 +
There are multiple types of VMWare Virtual Disk Format (VMDK) data files:
 +
* 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a [[Raw Image Format|split RAW image]].
 +
* 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk)
  
Windows EventViewer can represent the EVTX files in both "formatted view" and "XML view". Note that the formatted view can hide significant event data that is stored in the event and can be seen in the XML view.
+
== Descriptor file ==
 +
The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.
  
== See Also ==
+
== Extent file types ==
* [[Windows Event Log (EVT)]]
+
There are multiple types extent files:
* [[Windows]]
+
* RAW data file
 +
* VMDK sparse data file
 +
* COWD sparse data file
  
 
== External Links ==
 
== External Links ==
=== File Format ===
+
* [http://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf?src=vmdk Virtual Disk Format 5.0], by [[VMWare]]
* [http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx EventLog Remoting Protocol Version 6.0 Specification], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/cc231354.aspx Simple BinXml Example], by [[Microsoft]]
+
* [http://computer.forensikblog.de/mt/mt-search.cgi?IncludeBlogs=3&tag=Evtx&limit=20 int for(ensic){blog;} - results tagged Evtx], by [[Andreas Schuster]]
+
* [http://www.dfrws.org/2007/proceedings/p65-schuster_pres.pdf Introducing the Microsoft Vista Event Log File Format], by [[Andreas Schuster]] in 2007
+
* [http://computer.forensikblog.de/en/2010/10/linking-event-messages-and-resource-dlls.html Linking Event Messages and Resource DLLs], by [[Andreas Schuster]] in 2010
+
* [http://code.google.com/p/libevtx/downloads/detail?name=Windows%20XML%20Event%20Log%20%28EVTX%29.pdf Windows XML Event Log (EVTX) format], by the [[libevtx|libevtx project]]
+
 
+
=== Event Identifiers ===
+
* [http://eventid.net/ EventID.net]
+
 
+
=== Windows Vista/2008 ===
+
* [http://support.microsoft.com/kb/947226 Description of security events in Windows Vista and in Windows Server 2008]
+
 
+
=== Windows 7 ===
+
* [http://msdn.microsoft.com/en-us/magazine/ee412263.aspx Core OS Events in Windows 7, Part 1]
+
* [http://msdn.microsoft.com/en-us/magazine/ee358703.aspx Core Instrumentation Events in Windows 7, Part 2]
+
 
+
== Tools ==
+
* [http://computer.forensikblog.de/files/evtx/Parse-Evtx-current.zip Evtx Parser]
+
* [[libevtx]]
+
* [[log2timeline]]
+
* [http://technet.microsoft.com/en-us/library/cc749339.aspx wevtutil]
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=24659 LogParser]
+
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 09:50, 22 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

Image types

There are multiple types of VMWare Virtual Disk Format (VMDK) data files:

  • 2GbMaxExtentFlat (twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW data extent files (name-f###.vmdk). This image type is basically a split RAW image.
  • 2GbMaxExtentSparse (twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse data extent files (name-s###.vmdk)

Descriptor file

The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.

Extent file types

There are multiple types extent files:

  • RAW data file
  • VMDK sparse data file
  • COWD sparse data file

External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Windows_XML_Event_Log_(EVTX)&oldid=11805"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox