ATTENTION: The new home of the Digital Forensics Wiki is at Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn

Talk:Windows Event Log (EVT)

From ForensicsWiki
Revision as of 20:21, 15 March 2006 by ASchuster (Talk | contribs)

Jump to: navigation, search

ASchuster: Can you provide the source of your information on the header, cursor, retention, etc? If MSDN has this information, a link to it should be included in this page.

This information was obtained through extensive testing. As fas as I know the only information available on MSDN is the declaration of the event record. --ASchuster

Well then thank you for your efforts. I've just been ignoring the header/cursor as an invalid EVENTLOGRECORD and reading all of the rest of the records out. --MKucenski

Does your tool parse a split event record properly? Think of a record in a wrapped log file that starts at the (physical) end and continues near the top (right after the header). There might be even some padding in between of the two fragments. --ASchuster

WikiMarkup for tables?

Is it possible to typeset tables in MediaWiki? I'm only used to DokuWiki and didn't find any information in the help. --ASchuster