Dear All,
Please help me retrieve .evt file from the Windows XP dd image that i have.
I extracted Security file… and it is evident that auditing was enabled…
To determine if auditing was enabled or not I used rip.exe provided by H. Carvey
After this i need to figure out who all tried to access the machine so specifically i need to extract Logon Events
Dear All,
Please help me retrieve .evt file from the Windows XP dd image that i have.
I extracted Security file… and it is evident that auditing was enabled…
To determine if auditing was enabled or not I used rip.exe provided by H. CarveyAfter this i need to figure out who all tried to access the machine so specifically i need to extract Logon Events
Can you not extract the file and use something like log parser by Microsoft. I have used it for non forensic analysis of IIS logs in the past. I am sure it handles Windows logs as well?
Hi paulo,
I don't have the image of the entire hard disk…. and i don't see any place were event logs are stored directly as .evt…
If i had .evt files then i would have used some kind of parser to obtain the required results…
Hi paulo,
I don't have the image of the entire hard disk…. and i don't see any place were event logs are stored directly as .evt…
If i had .evt files then i would have used some kind of parser to obtain the required results…
Have you checked
%SystemRoot%\System32\Config
%SystemRoot%\System32\
?
Looks like it is custom image and then converted to DD image and i don't have all the System files…
Will ask the team to resend the image with all the files in System32…
Thanks for the replies…
Copied/pasted from my internal wiki
Carving Event Logs
When you click 'clear all events', Windows does NOT overwrite the space being used by events. Therefore if you can carve out an event log, chances are you can carve out a large contiguous space and let Encase parse it for you.
Search for the GREP expression “\x00\x00\x4C\x66\x4C\x65”
Pick the earliest one in your cluster and manually carve out chunks to files on your hard drive. Load them as single files in to Encase and run the parser.
That GREP expression is for the beginning of an event log file, not an event log itself.
Thanks Ivalen… will try the expression
Search for the GREP expression “\x00\x00\x4C\x66\x4C\x65”
… Let me see what i can do with if further
Thanks
Sudha
Dear All,
Thanks for the previous replies… but as of now i have full image and i was able to successfully extract the SecEvent.evt file from %system32/config/ folder.
But when i use Log parser to see its contents I’m not able to… and Log parser says that the file is corrupt… please help from this point onwards…
Thanks
Sudha
If Encase event log parser doesn't work, I've had success using Event Log Explorer from FSPro Labs;
http//
Thanks darren_q,
The tool is great… it helps a lot… but unfortunately i can't use if for this particular case…
Here in this case, i understand that the Audit logs were enabled… but it is deleted… since i'm not able to see anything from .evt files
So how to retrive those deleted logs now? Plz help
Thanks
Sudha