Difference between revisions of "Talk:Windows Event Log (EVT)"

From Forensics Wiki
Jump to: navigation, search
 
(One intermediate revision by one user not shown)
Line 8: Line 8:
  
 
The tool I am currently using is fairly primitive.  I am basically searching the file for 'LfLe', reading the record out, then searching for the next 'LfLe'.  Is it even possible to split a record?  I have not seen that situation, but also have not been looking for it.  It seems like this would cause havoc, especially for things like the data and string offsets within the record that are relative to the start of the record. --[[User:Mkucenski|Mkucenski]] 15:31, 15 March 2006 (EST)
 
The tool I am currently using is fairly primitive.  I am basically searching the file for 'LfLe', reading the record out, then searching for the next 'LfLe'.  Is it even possible to split a record?  I have not seen that situation, but also have not been looking for it.  It seems like this would cause havoc, especially for things like the data and string offsets within the record that are relative to the start of the record. --[[User:Mkucenski|Mkucenski]] 15:31, 15 March 2006 (EST)
 +
 +
Yes, it is possible to split event records (not the header and not the cursor though). And no, this should not cause havoc, at least not to a forensically sound parser. --ASchuster
  
 
== WikiMarkup for tables? ==
 
== WikiMarkup for tables? ==
  
 
Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster
 
Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster

Latest revision as of 04:04, 21 July 2012

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

This information was obtained through extensive testing. As fas as I know the only information available on MSDN is the declaration of the event record. --ASchuster

Well then thank you for your efforts. I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski

Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster

The tool I am currently using is fairly primitive. I am basically searching the file for 'LfLe', reading the record out, then searching for the next 'LfLe'. Is it even possible to split a record? I have not seen that situation, but also have not been looking for it. It seems like this would cause havoc, especially for things like the data and string offsets within the record that are relative to the start of the record. --Mkucenski 15:31, 15 March 2006 (EST)

Yes, it is possible to split event records (not the header and not the cursor though). And no, this should not cause havoc, at least not to a forensically sound parser. --ASchuster

WikiMarkup for tables?

Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster