int for(ensic){blog;}

The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.

By Andreas Schuster at 03/11/2010, 04:00 PM | Permalink

I'm excited to announce that my proposed tutorial on file system analysis was accepted for the 22^nd Annual FIRST Conference. I'm going to explain how to proceed when the usual tools like EnCase, FTK, and X-Ways Forensics are unable to parse a file system.

By Andreas Schuster at 03/01/2010, 04:00 PM | Permalink

Version 1.0.3 of the Microsoft Vista and Windows 2008 Event Log parser is now available for download. As usual, it fixes some bugs and introduces new features.

By Andreas Schuster at 02/25/2010, 04:00 PM | Permalink

NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.

By Andreas Schuster at 02/23/2010, 04:00 PM | Permalink

010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.

By Andreas Schuster at 02/22/2010, 04:00 PM | Permalink

In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!

By Andreas Schuster at 02/08/2010, 04:00 PM | Permalink

Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.

By Andreas Schuster at 02/04/2010, 04:00 PM | Permalink

On April 19 and 20, 2010 SANS will held their European Community Digital Forensics and Incident Response Summit in London, UK. Check out the agenda, there will be lots of interesting keynotes and briefings. I'm excited to announce that I will present on the native format of Windows Event Logs on the second day.

By Andreas Schuster at 02/01/2010, 04:00 PM | Permalink