Category "NT event log"

Windows Log Forensics

In Issue 16 of the free (IN)SECURE magazine Rob Faber describes the design and the various features of Microsoft Windows event logging services. His article covers both, the old log of the NT family of kernels and the redesigned event logging services found in Vista and Windows Server 2008.

Security Event ID Cheat Sheet

Do you know the meaning of all the different event ID codes in the security event log of Microsoft Windows NT, 2000, XP and 2003? The Digital Forensics Institute provides you with a cheat sheet of all the codes and their meaning. (via e-evidence.info)

Finally...

A blog post by Harlan Carvey made me aware of some official documentation of the Event Log Header and EOF structures.

Weird IE7 Event Log

| 1 Comment

Bill Tydeman reported a new event log on the Windows Forensic Analysis group at Yahoo! and on his new blog. The weird thing is, this log seemingly is not properly configured and the log file is garbled.

GrokEVT Version 0.4.0

GrokEVT is a set of Python scripts for reading Windows Event Log files (.evt) on Unix hosts. New in version 0.4.0 is grokevt-findlogs which carves event records from raw binary data like unallocated clusters or a memory dump.

A Common Misconception

An article in a German computer magazine recently remined me of a common misconception in event log parsers. Most parsers treat Windows event log files as sequential files - and read them from top to bottom. While this usually works, it might mangle or suppress a single log entry under special circumstances.

Reconstruction of Corrupted Event Logs

| 1 Comment

Viewing a saved Windows Event Log file on a different system might be unexpectedly difficult. The Event Log Service might refuse to open the file as it appears to be corrupted. In that situation a procedure documented by Stepahn Bunting may provide first aid.

Default ACL of Event Logs

Eric Fitz took the trouble to search the Windows sources for default access control lists of the various event logs. He posted his findings for Windows 2000, XP with Service Pack 2 and Windows Server 2003 in the Windows Auditing Team's blog.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12