Notifications
Clear all

Systen Logs

7 Posts
4 Users
0 Likes
436 Views
(@amicus)
Posts: 31
Eminent Member
Topic starter
 

I am working a case at present and am trying to explain a very basic understanding of the System.Log1 file found within the MS Vista OS. For the life of me I cannot find any authoritative reading on the files and how they work. It is required for a court of appeal hearing in less than a week.

Can anyone please point me in the direction of any documentation that may assist.

 
Posted : 10/02/2015 1:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Can you perhaps provide some context at to the forensic value of that file in relation to your investigation? That might help provide an answer.

Also, this might help
http//www.techsupportalert.com/content/deeper-windows-registry.htm

 
Posted : 10/02/2015 11:05 pm
(@amicus)
Posts: 31
Eminent Member
Topic starter
 

The matter is now before the court and two two opposing forensic experts are differing in their understanding of the differences between a System.log file and a System.log1 files. There is not very much difference in what they are saying but the Judge is looking for an authoritative explanation, especially of why the two files exist, what they do and why there are two files.

Hope that helps.

 
Posted : 11/02/2015 12:51 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Your best bet will be to contact Microsoft.

 
Posted : 11/02/2015 1:31 am
(@amicus)
Posts: 31
Eminent Member
Topic starter
 

Cheers. I have done that but knowing them they take a long time. I just thought someone may have come across the same problem

 
Posted : 11/02/2015 2:40 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

There is a some explanation in the Microsoft book, "Windows Internals, Part 1", by the well known Mark Russinovich.

I won't re-type in the entire explanation from the book, but it goes like this,

"To ensure forward progress the [registry] configuration manager uses a dual logging scheme. There are potentially two log files, .log1 and log2. If for any reason .log1 was written but a failure occurred while writing the dirty data to the primary log file, the next time this happens a switch to .log2 will occur……………"

It is moderately complex, with bit arrays, flushing, lazy writes, hive sync's etc…
IMHO it is well beyond the understanding of the typical man in the street, who won't even know what the Windows registry is.

You could sum it up (or dumb it down) by describing it as a temporary storage location for Windows registry keys. Then go on to explain what registry keys are.

 
Posted : 11/02/2015 5:20 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

I'm sure we are all curious to know the experts' respective opinions. I'd like to know how they describe the purpose and provenance of the files, and especially the inferences that can be drawn and how they relate to the facts of the case.

How do they [the experts] differ?

 
Posted : 11/02/2015 5:34 am
Share: