tag:blogger.com,1999:blog-9518042.post112076144823175317..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: Event Log file formatUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-1120851461822971332005-07-08T14:37:00.000-05:002005-07-08T14:37:00.000-05:00SAL,Thanks for the comments.I read through the Fre...SAL,<BR/><BR/>Thanks for the comments.<BR/><BR/>I read through the French stuff you found...no, I don't understand French, but I do understand Perl...and I don't see anything in the file that deals with corrupt files. It looks like it looks for the header, and simply reads in and parses the necessary bytes.<BR/><BR/>I'm thinking about submitting my document for public release, but through my own web site, if necessary.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1120844622019009492005-07-08T12:43:00.000-05:002005-07-08T12:43:00.000-05:00Actually, I just saw this "FCCU evtreader.pl" tool...Actually, I just saw this "FCCU evtreader.pl" tool, which might be of interest, though I havent tested it yet nor am I strong in French?<BR/><BR/>I found it at http://www.d-fence.be/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1120842753900832392005-07-08T12:12:00.000-05:002005-07-08T12:12:00.000-05:00Im in support of Harlan's work as more than once I...Im in support of Harlan's work as more than once I've come across a corrupt EVT file for which Microsoft's KB response for users (on a live system) is to delete the corrupt EVT file and start anew...not really an option when forensically reviewing data ;)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1120766642565835782005-07-07T15:04:00.000-05:002005-07-07T15:04:00.000-05:00Richard,Yes, I did see that...it was announced jus...Richard,<BR/><BR/>Yes, I did see that...it was announced just as I was finishing up my research. By that time, though, I'd gotten to the point were I had to finish...call it OCD, call it an addiction... ;-)H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1120765936572785302005-07-07T14:52:00.000-05:002005-07-07T14:52:00.000-05:00Harlan, have you seen GrokEVT?Harlan, have you seen <A HREF="http://www.sentinelchicken.org/projects/grokevt/" REL="nofollow">GrokEVT</A>?Anonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.com