EnScript to parse classic (.evt) event log entries in unallocated

This EnScript was inspired by a blog reader who emailed me to ask for a solution to parse some windows event log entries that were found in unallocated.

There are a couple ways I could think of to solve this issue. The easiest was to just build a parser to read a single event log record that was found in unallocated and display the data in the single record. The problem with that solution is it does not scale well and it will become very tedious when there are numerous records found in unallocated and requires a person to parse each one individually.

The final solution was an EnScript to perform a search for the magic value of "LfLe" which appears in every valid event log record. Once a hit is found, then the record is parsed and exported out into a separate .EVT file.  Every hit is exported out into the same .evt file and in the end, you will have a single "eventlog.evt" that contains all the valid windows event log entries that were found in unallocated. You can then use your favorite 3rd party event log viewer (Event log explorer, etc..) or the native Windows event viewer (eventvwr.exe) to read all the records that were found in unallocated.

Each event log entry maintains a event record number. When searching in unallocated, it is possible that you could find two records with the same record number, therefore this EnScript renumbers all the records found in unallocated, but leaves the remaining data intact and as exactly as found in unallocated. Each record is assigned a new record number and then exported into the new .Evt file. A new header and footer is built based on the exported data so it can then be read with all the common event log viewing tools.

The exported records viewed in the EVENTVWR app in Windows 7:




The exported records viewed in the Event Log Explorer app in Windows 7:



Prerequisites:
None - This EnScript performs a search automatically. There is no need to search, select (blue check) or preprocess anything. The EnScript will search every unallocated object found, so if you have multiple drives loaded into the case, each one will be searched automatically. The EnScript automatically bookmarks all the "LfLe" search hits (valid and invalid). Some basic error checking is done to validate the record to attempt to ensure it is a complete and valid record before it is exported into the new .EVT file. The new "eventlog.evt" file is created in the default export folder for the active case.

Limitations:
This *only* searches and rebuilds classic Windows NT/2000/XP event (.evt) records. It does not yet support the newer .EVTX (xml) records that are used in Vista, 2008 & 7.

Download here


轉自 forensickb

0 意見: