Hi all. This question might sound dumb to some but I'm gonna ask anyway! I am interested in finding out the last shutdown time and other events and figured looking at the Windows Event log would be the best way to go about it. I use EnCase 6 and have figured out indeed where the .evt files are at (WINDOWS\system32\config\).
My big problem is that there is no way I can get them to open with my own Windows' (the one on which EnCase is running) Event Viewer. Every time I double click on any of those .evt files I get "file internally viewed". I tried adding the "eventvwr" as an external file viewer but could not locate the corresponding .exe file for that viewer. Any suggestion? Thanks.
You also may want to try
My big problem is that there is no way I can get them to open with my own Windows' (the one on which EnCase is running) Event Viewer. Every time I double click on any of those .evt files I get "file internally viewed". I tried adding the "eventvwr" as an external file viewer but could not locate the corresponding .exe file for that viewer. Any suggestion? Thanks.
Yeah…don't use EnCase for this. Extract the files and use another tool. I use Perl scripts that I've written for just this kind of thing, due in part to the fact that sometimes the local system's Event Viewer will report the imported EVT file as being "corrupt" when it really isn't.
There are other freeware tools available, some for Windows, some for Linux…I mention some for Windows in WFA 2/e.
Also, you can check the Registry for the last shutdown time…
Thanks for the responses bithead and keydet89. I would explore both but there is still a missing link I think. I am still confused how I am supposed to "extract" the evt files from the EnCase evidence that I have acquired. it is because I didn't know anything about "extracting" files and saving them outside, I kept juggling between double-clicking inside EnCase and trying to add external file viewer. Any suggestion for extracting? I know this question sounds like I still don't know the basics of EnCase (
I am still confused how I am supposed to "extract" the evt files from the EnCase evidence that I have acquired. it is because I didn't know anything about "extracting" files and saving them outside, I kept juggling between double-clicking inside EnCase and trying to add external file viewer. Any suggestion for extracting? I know this question sounds like I still don't know the basics of EnCase (
You're right about that. Copy/Unerase.
However, I am one to strongly recommend that analysts shift their focus from the tool (EnCase) to the process.
When I have an image and all I want to do is copy some files out, I don't muck about with a dongle and EnCase…it's much simpler to use FTK Imager (even Lite) to just open the image and get what you need. In some cases, I do some preprocessing with ProDiscover, so I can copy files out that way, too.
I think there is an EnScript that processes .evt logs.
Also as far as the copy/unerase goes, you have to be careful with what software you do this, since this operation requires correct interpretation of the file system. In some cases, different software packages will produce different results.
One example is registry files (and also event logs) under NTFS. You might find that in some cases (heavily used system) the hash values will differ from too to tool. In this example it would be due to the fast file initialization feature of NTFS/windows (initialized size)
Also if there is compression or encryption the process that keydet89
proposed might not work. For that you would have to use the full-strength tools (EnCase/ FTK/..).
Also if there is compression or encryption the process that keydet89
proposed might not work. For that you would have to use the full-strength tools (EnCase/ FTK/..).
How do you mean? Where have you seen compression or encryption used, in such a way that opening the image and using Copy/Unerase to extract the EVT files would not allow those files to be extracted into their native format?
I normally use Event Log XP to view them.
Also, check out the following page for information on how to fix the "corrupted" event logs
http//128.175.24.251/forensics/repaireventlogfile.htm
I believe Lance Mueller made an EnScript which did this in bulk too.
Kind Regards
There is an automated CLI tool to fix the event logs here http//
I've used it a lot before and haven't had a problem with it. You could also use it as part of a batch file to do multiple logs at once.
Minesh and ddewildt,
I honestly don't know why you think that the Event Logs are "corrupt", just because Event Viewer says so…the fact is, they aren't! Just parse them with a tool that doesn't use the MS API. In fact, due to the nature of the EVT files and how they're managed, I've found entire "hidden" event records doing this…