Vista event log
« December 2009 | Main | March 2010 »
Lab
Test of Media Preparation Tools
NIST has tested hardware and software tools that can be used to wipe hard disks. Wiping tools are commonly used to clean temporary storage media. This can happen prior to an analysis in order to prevent data from an earlier case to contaminate data that is currently under examination. Also, storage media are commonly wiped as soon as they are no longer needed in order to minimize the risk of data leakage.
Lab
010 Editor Version 3.1.0
010 Editor, a hex editor, became an indispensable tool to me years ago. I use it frequently when I'm analyzing files in depth. The authors have released version 3.1, which fixes a couple of bugs and introduces many new features.
Vista event log
How to Sort Event Records
In the course of time I found different tools to order event records differently. The Windows Event Viewer, for example, exports records from the highest to the lowest EventRecordID. My own tool parses an EVTX file from its beginning to its end and emits event records as they appear in the file. In most cases this will be in the opposite direction, from the lowest to the highest EventRecordID. But to make things worse, logs can be configured to wrap around, so the record with the lowest number may be found somewhere in the middle. A tool to sort event records in XML format by their EventRecordID would come in handy!
Vista event log
Evtx Parser Version 1.0.2
Version 1.0.2 of the perl Evtx Parser library is now publicly available. This version fixes some bugs and introduces some small changes to the parser's architecture.
Side notes
SANS Forensic Summit in London
On April 19 and 20, 2010 SANS will held their European Community Digital Forensics and Incident Response Summit in London, UK. Check out the agenda, there will be lots of interesting keynotes and briefings. I'm excited to announce that I will present on the native format of Windows Event Logs on the second day.
Search
Deutsch
Deutschsprachige Ausgabe
Categories
- Lab (40)
- FTK 2 (5)
- Library (20)
- Side notes (48)
- Topics
- Carving (9)
- File Systems (1)
- Multimedia (7)
- Network forensics (2)
- Windows (1)
- Memory analysis (97)
- NT event log (8)
- Vista event log (24)
Archives
- March 2010
- February 2010
- December 2009
- November 2009
- October 2009
- May 2009
- April 2009
- March 2009
- February 2009
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- December 2005
- November 2005
- October 2005
Latest articles
Subscribe
Imprint
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.