In this chapter, we will look at the internal structure of the Windows event log files and compare logs from the Windows XP era, as well as the Windows Vista era and beyond. We will look at how to recover log files from unallocated space after they’ve been deleted by an intruder. Because few network attackers miss the chance to clear event logs and dump the data, a network examiner must have the ability to recover event log data.
In addition, we will look at how to repair corrupted Windows XP/2003 event log files in order to examine them with viewing tools that rely on the use of the Windows API (Event Viewer, Log Parser, Event Analyst, and others). In this chapter, you will learn to: