Version 1.0.4 of my Microsoft Vista and Windows 2008 Event Log parser is now available for download. This version adds data integrity checking and fixes some errors.
Continue reading Evtx Parser Version 1.0.4.
March 2010 Archives
The separation of content and structure along with the substitution mechanism is a core concept of the event log. The XML template contains placeholders, that are filled in from the associated slots of the record's substitution array. Whenever the slot contains a NullType "value", the system suppresses the placeholder and its containing XML element. These NullType slots do not contain any data. At least that's what I thought for too long.
Continue reading A non-empty NullType.
I'm excited to announce that my proposed tutorial on file system analysis was accepted for the 22nd Annual FIRST Conference. I'm going to explain how to proceed when the usual tools like EnCase, FTK, and X-Ways Forensics are unable to parse a file system.
Continue reading Tutorial on Filesystem Analysis.
