« June 2007 | Main | August 2007 »
Vista event log
The substitution mechanism allows to separate content from structure. Variable data will be moved into a separate table, the "Substitution Array". Placeholders within the XML stream, the substitution system tokens, will point to the proper element.
Vista event log
Parsing clear text can be a tedious piece of work, especially in the case of XML, which is known for its low entropy. Under the premise that XML messages are frequently re-read, the conversion of certain language elements into "tokens" can save a significant amount of computational power and also cuts down on the requirements for storage space.
Lab
Guidance Software and Access Data have updated some of their products during the last few days.
Vista event log
By far the largest part of an event record consists of a complex binary XML structure. I'm going to explain its internals in a series of postings. I'm starting with an overview of the XML schema.
Vista event log
I'm excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By "outer structure" I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record - and provably never will. For this task I will provide a more complex tool in a few weeks.
Side notes
ACM SIGOPS is soliciting the submission of papers for its Operating Systems Review. This special issue will be dedicated to computer forensics, especially with the upcoming arts of live forensics and the analysis of volatile data.
The call for paper closes on December 1st, 2007.
(via Bradley Schatz)
Vista event log
This article documents the structure of a single event record within a Vista Event Log (.evtx) file. The event records go one by one, following the chunk header.
Vista event log
Each event log file contains one or many so-called "chunks", which store the event records. During operation, only the current chunk of an event log file is mapped into memory.
Vista event log
This article documents the Evtx file header. The file header provides some overall information about a Vista event log file.
Carving
"Chopstick" published two articles about CarvFS in his blog Chirashi Security.
Lab
The Association of Chief Police Officers in co-operation with 7Safe released an updated edition of their Good Practice Guide for Computer-Based Electronic Evidence.
Lab
Since version 2.3 the shared libraries and utility programs which implement the Advanced Forensic Format (AFF), are also available for the Microsoft Windows platform.
Lab
NIST has just released their test reports for GuidanceSoftware's FastBloc FE (with USB and FireWire interface) and the Tableau T5 (also with USB and FireWire interface).
Side notes
The FIRST Conference 2008 will be held in Vancouver, Canada, from June 22-27, 2008. The Call for Papers is open until November 15, 2007.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.