Is there an easy way to read recovered EVT files from a machine without having to import them into another machine with the associated dll to read them in event viewer, and without using EnCase (I know there is an enscript that can do this)?
Normally, I use logparser to read from the live system, and am looking for a similar method with recovered files.
I have FTK if that helps.
Thanks,
jaysp
How about grokevt from http//
Paul
I'm rather fond of Event Log Explorer by FSPro Labs. See
It rips evt files and can output them to an Excel 2007+ spreadsheet for further filtering, sorting, search, etc.
/scott
Also of use for evtx files is the Evtx Parser by Andreas Schuster
http//
Usually after using something like FTK, or Scalpel to recover evt files based on headrers and footers I use the following command line along with Harlan's lsevt2.pl perl file to quickly parse the data into a out file.
for i in `ls -l *.Evt` ; do perl /home/chague/ir/Harlan_Carvey/ch5/code/readevt/lsevt2.pl -f "$i" -c ; done | tr -cd '\11\12\40-\176' > recovered_logs.out
Cheers,
Chris