You could try evtparse.pl on a DD of the image (? haven't done it myself, but you may wish to try it)
I don't think that it is working… It is capturing some data as follows
1257335212|imagename.001 - EVT|machinenameD|N/A|.NET Runtime Optimization Service/1102;;.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled Microsoft.SqlServer.DTSRuntimeWrap, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91,Microsoft.SqlServer.DTSRuntimeWrap, Version=9.0.242.0, Culture=neutral, PublicKeyToken=8dsf5dcd8080cc91
Plz help me out of this tricky spot… I have even tried the pattern suggested earlier.. I get quite a lot of hits… but dont know what to do after that…
Thanks
Sudha
Not sure what type of forensic investigation this is, but there should be a point where we ask the question, Do I have the skills to handle this case?
(In reality, that checkpoint is before we even start the investigation -planning the team).
If this case was assigned to you by your management, you risk frustrating them with the length of time it's taking to complete the case. How about getting professional assistance?
The investigation objective is simple and is as follows
Find the last loggedin person and the time. Or to find the failed attempts of loggin in.
Yes i was not tranined for this activity, but most of the things i have learnt on my own (i was able to provide all the evidence required to solve the previous cases)either reading from books or from intenet..
I have read from books that it is possible to retrive any deleted/cleared data… plz tell me if there is a way… if no way to retrive deleted logs then i'm going to say what i have to. Thanks for your advise!!! 😯
And finally this job cant be outsoruce coz this my role…I'm Information Security Engineer…
Thanks
Sudha )
Sudha,
Do you have a physical image of the HDD?
Keep in mind there is no certainty you will get any deleted files back "in tact", so to speak.
"I have read from books that it is possible to retrive any deleted/cleared data"
Not always true.
I dont have the actual hard disk.
paulo111 wrote
Keep in mind there is no certainty you will get any deleted files back "in tact", so to speak."I have read from books that it is possible to retrive any deleted/cleared data"
Not always true.
Yes i understand that we cant get intact data… I'm just trying to make sure that i have checked all possibilities… so if some one has tried some methods i can try the same !
Thanks
Sudha
Sudha,
Have you attempted to repair the EVT file and then run LogParser?
Cheers!
farmerdude
Thanks for the previous replies… but as of now i have full image and i was able to successfully extract the SecEvent.evt file from %system32/config/ folder.
But when i use Log parser to see its contents I’m not able to… and Log parser says that the file is corrupt… please help from this point onwards…
Like the Event Viewer, LogParser uses the MS API. Evtparse.pl doesn't…it parses the .evt file on a binary level, and is much more likely to work for you.
The investigation objective is simple and is as follows
Find the last loggedin person and the time. Or to find the failed attempts of loggin in.
Okay, this is a good place to start.
Do you have the Security Registry hive file? I'm not talking about secevent.evt, I'm specifically referring to the file named 'security' (no extension) from the system32\config directory. If you have this file, use RegRipper (http//
Your other option is to simply run evtparse.pl and look for events that have a source of 'Security' and an event ID of '528' (type 2 for console logins, type 10 for RDP logins) or '540'.
I use something like this
evtparse.pl -e secevent.evt -t | find "Security/528" > 528_events.txt
HTH
Have you attempted to repair the EVT file and then run LogParser?
One of the reasons for a .evt file being identified as "corrupt" is because the API cannot find the message DLL in order to present a certain string.
One way to get around this is to NOT use the API; BTW, evtparse.pl would work on Linux.