ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Talk:Windows Event Log (EVT)"

From ForensicsWiki
Jump to: navigation, search
(No difference)

Latest revision as of 09:04, 21 July 2012

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

This information was obtained through extensive testing. As fas as I know the only information available on MSDN is the declaration of the event record. --ASchuster

Well then thank you for your efforts. I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski

Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster

The tool I am currently using is fairly primitive. I am basically searching the file for 'LfLe', reading the record out, then searching for the next 'LfLe'. Is it even possible to split a record? I have not seen that situation, but also have not been looking for it. It seems like this would cause havoc, especially for things like the data and string offsets within the record that are relative to the start of the record. --Mkucenski 15:31, 15 March 2006 (EST)

Yes, it is possible to split event records (not the header and not the cursor though). And no, this should not cause havoc, at least not to a forensically sound parser. --ASchuster

WikiMarkup for tables?

Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster