int for(ensic){blog;}

Until now, authoritative documentation was available only for the event record structure. Even a cursory glance at an event log file showed that there must be more. So somewhere in 2004 I began to research the file format. A little Perl script helped me to submit records of predictable length to the event logging service. Some dozens of tests later I understood the overall meaning of the two undocumented records, the header and the EOF record, including the four flags.

In March 2005 I presented my results at the 12th DFN Workshop on Security in Networked Systems. While this was fun and lead to some nice responses, I had to realize that presenting on the subject of computer forensics at a German conference (and in German!) hardly generates any impact.

Whenever I drew some conclusions from the flags of an event log file my results were questioned and I had to explain why there's no official documentation available, how I obtained the information about the data format and so on. So it's a great relief to see that all (well, almost all, the padding with DWORD 0x27 isn't mentioned) of this is now publicly available from the authoritative source. And of course I'm satisfied that my "guesswork" (as some called it) is pretty close to the real thing.

The best news behind this however is that Microsoft decided to publicly document two data structures which are highly unlikely to get ever directly accessed by the common programmer - but provide high value to the forensic community! Thank you Microsoft! And thank you, whoever made Microsoft to release this information!

And now there's one excuse less for writing faulty event log parsers.