Finding and Recovering Event Logs from Free Space

When an attacker takes over a victim computer, one of his first tasks may be to dump whatever logs exist and to turn off any meaningful logging that may be in place. The good news here is that the files are very recoverable. In Windows XP and Server 2003, when the event log is cleared, different clusters are allocated to the new event log file that is created and the original set is often left intact for a long period of time. In Windows Vista and beyond, while the same starting cluster is used for the file, if the file was large to begin with, there is a high likelihood that the file was fragmented and large sections of the data will be able to be recovered intact. In both operating systems, ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by Steven Anson, Steve Bunting, Ryan Johnson, Scott Pearson

Finding and Recovering Event Logs from Free Space

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly