Version 1.0.3 of the Microsoft Vista and Windows 2008 Event Log parser is now available for download. As usual, it fixes some bugs and introduces new features.
Continue reading Evtx Parser Version 1.0.3.
February 2010 Archives
NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.
Continue reading Test of Media Preparation Tools.
010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.
Continue reading 010 Editor Version 3.1.0.
In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!
Continue reading How to Sort Event Records.
Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.
Continue reading Evtx Parser Version 1.0.2.
