My paper Introducing the Microsoft Vista Event Log File Format has been accepted for presentation at DFRWS 2007. See you in Pittsburgh!
From the abstract:
Several operating systems provide a central logging service which collects event messages from the kernel and applications, filters them and writes them into log files. Since more than a decade such a system service exists in Microsoft Windows NT. Its file format is well understood and supported by forensic software. Microsoft Vista introduces an event logging service which entirely got newly designed. This confronts forensic examiners and software authors with unfamiliar system behavior and a new, widely undocumented file format.
This article describes the history of Microsoft Windows system loggers, what has been changed over time and for what reason. It compares Vista log files in their native binary form and in a textual form. Based on the results, this paper for the first time publicly describes the key-elements of the new log file format and the proprietary binary encoding of XML. It discusses the problems that may arise during daily work. Finally it proposes a procedure for how to recover information from log fragments.
05/23/2007: added the final abstract.
I won't be able to make it to the conference but do you plan on posting your paper anywhere for others to read? I'd love to take a read through it if I could :)
Andrew,
Last year the papers were available from the conference website. Should that policy change (what I don't expect to happen) then the license agreement of Elsevier still entitles me to make the unedited author's version available.
Also I plan to post some of the deep-down technical details here, as time permits...