O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Finding and Recovering Event Logs from Free Space

When an attacker takes over a victim computer, one of his first tasks may be to dump whatever logs exist and to turn off any meaningful logging that may be in place. The good news here is that the files are very recoverable. In Windows XP and Server 2003, when the event log is cleared, different clusters are allocated to the new event log file that is created and the original set is often left intact for a long period of time. In Windows Vista and beyond, while the same starting cluster is used for the file, if the file was large to begin with, there is a high likelihood that the file was fragmented and large sections of the data will be able to be recovered intact. In both operating systems, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required