Corrupted Event Log...
 
Notifications
Clear all

Corrupted Event Logs

8 Posts
3 Users
0 Likes
1,402 Views
markfu14
(@markfu14)
Posts: 14
Active Member
Topic starter
 

I have found a way to recover event logs that one way or another become corrupted.

What I wanted to do was export a SecEvent.evt log from my suspect image and open it with the Event Viewer (EV) on another machine. When I tried to open it in EV, it kept telling me that it couldn't do it becuase the log was corrupted. After searching the net, I found instructions on how to fix the error in the log. But the instructions told me that the first step was to to use a Hex editor and do a search for /x11/x11/x11/x11/x22/x22/
x22/x22. But my log did not have this particualr string, so I was left with no other answers. But the last step in the instructions were to use the editor and go to offset 36 and relpace this value with an eight. I did this for giggles, and guess what…it worked. The log was no longer corrupted and was able to be opened with EV. I tried this on two other corrupt Event Logs and I was sucessful both times.

Depending on your circumstances this could be a good fix, but that depends on how bad you want to alter a file to produce results. I work in the corporate environment, so this was not an issue with me.

 
Posted : 03/09/2005 12:24 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Thanks for the tip. Worked like a charm on the two files I tested…

Question for the seasoned analysts in regard to litigation. Granted you don't want to modify any evidence at all….As the changes are mininal if process is documented and the reasons behind the change expalined, could this method be acceptable?

Andrew-

 
Posted : 03/09/2005 5:35 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I've posted about parsing an Event Log file in binary mode (ie, NOT via the MS API). I presented on this at the GMU2005 Conference.

http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=390

I've sent a copy of the Perl script I use to do so to anyone who's asked. Using the script, I don't see why you'd need to make any modifications to the .evt file in order to open it in the Event Viewer. All of the information you will get can be retrieved via other means, without modifying the contents of the file.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 04/09/2005 3:16 pm
markfu14
(@markfu14)
Posts: 14
Active Member
Topic starter
 

Of course using the EnCase script to parse the event logs would be the logical choice here, but I wanted the view the log with EV becuse of the variety of options you have in exporting the data. Does EnCase give you the same abilities to export the data, such as in Excel or Access format?

 
Posted : 08/09/2005 2:10 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Of course using the EnCase script to parse the event logs would be the logical choice here…

Perhaps not. The Event Viewer is complaining because of an error returned by the MS API for opening and parsing the Event Logs. Any other tool that uses the same API (which includes most forensic analysis tools that run on Windows) will make the same complaints.

Parsing even a corrupted Event Log file at the binary level would be the way to go, as it requires no modification to the file whatsoever.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 08/09/2005 3:36 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Good point Harlan but the question that keeps coming to mind when I think about this is

Why in the case of a corrupt .evt file could you not change one byte in order to facilitate its viewing (in its native application)? The original HDD would theoretically be stored away and not modified. Same can be said of the file the imaged was pulled from…essentially the original is intact.

If you document the procedures would it not be acceptable?

Of course I can see the argument being, if this is alright for an event viewer file then were do you draw the line but at times can it not be done (slight modification when files are corrupt) when you’ve documented an explained the how’s and why’s.

Andrew-

 
Posted : 08/09/2005 6:10 pm
markfu14
(@markfu14)
Posts: 14
Active Member
Topic starter
 

I see your point..I took a look at your presentations that you posted…some very good information. Thanks for the info.

 
Posted : 08/09/2005 6:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

andy1500mac,

Why in the case of a corrupt .evt file could you not change one byte in order to facilitate its viewing (in its native application)?

Because you don't need to.

You're right…documenting your procedures, and maintaining the original evidence in pristine form, should be acceptable. I'm not saying that it isn't.

What I am offering is a methodology for retrieving the same information from a corrupted Event Log file, without altering the data in any way. In fact, this methodology reduces the overall interaction with the data, as the MS API is not used in any way.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 09/09/2005 2:39 am
Share: