±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36632
New Yesterday: 3 Visitors: 130

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Extract Audit logs or .evt files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

sudha
Senior Member
 

Extract Audit logs or .evt files

Post Posted: Mar 23, 10 11:10

Dear All,

Please help me retrieve .evt file from the Windows XP dd image that i have.

I extracted Security file... and it is evident that auditing was enabled...
To determine if auditing was enabled or not I used rip.exe provided by H. Carvey

After this i need to figure out who all tried to access the machine so specifically i need to extract Logon Events  
 
  

paulo111
Member
 

Re: Extract Audit logs or .evt files

Post Posted: Mar 23, 10 13:26

- sudha
Dear All,

Please help me retrieve .evt file from the Windows XP dd image that i have.

I extracted Security file... and it is evident that auditing was enabled...
To determine if auditing was enabled or not I used rip.exe provided by H. Carvey

After this i need to figure out who all tried to access the machine so specifically i need to extract Logon Events


Can you not extract the file and use something like log parser by Microsoft. I have used it for non forensic analysis of IIS logs in the past. I am sure it handles Windows logs as well?  
 
  

sudha
Senior Member
 

Re: Extract Audit logs or .evt files

Post Posted: Mar 23, 10 15:01

Hi paulo,

I don't have the image of the entire hard disk.... and i don't see any place were event logs are stored directly as .evt...
If i had .evt files then i would have used some kind of parser to obtain the required results...  
 
  

paulo111
Member
 

Re: Extract Audit logs or .evt files

Post Posted: Mar 23, 10 16:23

- sudha
Hi paulo,

I don't have the image of the entire hard disk.... and i don't see any place were event logs are stored directly as .evt...
If i had .evt files then i would have used some kind of parser to obtain the required results...


Have you checked:

%SystemRoot%\System32\Config
%SystemRoot%\System32\

?  
 
  

sudha
Senior Member
 

Re: Extract Audit logs or .evt files

Post Posted: Mar 24, 10 07:52

Looks like it is custom image and then converted to DD image and i don't have all the System files...

Will ask the team to resend the image with all the files in System32...

Thanks for the replies...  
 
  

Ivalen
Member
 

Re: Extract Audit logs or .evt files

Post Posted: Mar 24, 10 17:22

Copied/pasted from my internal wiki
Carving Event Logs

When you click 'clear all events', Windows does NOT overwrite the space being used by events. Therefore if you can carve out an event log, chances are you can carve out a large contiguous space and let Encase parse it for you.

Search for the GREP expression “\x00\x00\x4C\x66\x4C\x65”

Pick the earliest one in your cluster and manually carve out chunks to files on your hard drive. Load them as single files in to Encase and run the parser.


That GREP expression is for the beginning of an event log file, not an event log itself.  
 
  

sudha
Senior Member
 

Re: Extract Audit logs or .evt files

Post Posted: Mar 26, 10 14:35

Thanks Ivalen... will try the expression
Search for the GREP expression “\x00\x00\x4C\x66\x4C\x65”
... Let me see what i can do with if further


Thanks
Sudha  
 

Page 1 of 3
Page 1, 2, 3  Next