Chapter 15: Forensic Analysis of Event Logs

Understand the internal structures of the Windows XP/2003 event log so that it can be repaired when “corrupted” in order that the file may be viewed and analyzed by viewers relying on the Windows API. The Windows XP/2003 event log database consists of three distinct object types. There will be one header, one floating footer, and multiple records. Each of these objects contains unique string identifiers that can be used to locate them.

Master It You have located the Windows event log files in a network case. For a variety of reasons, another investigator wishes to view them in a very sophisticated log-analysis program that is based on the Windows event log service API. When you attempt to open them ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Chapter 15: Forensic Analysis of Event Logs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly