Unfortunately, when an Eventlog file from a Windows computersystem is copied for further investigation, it is often corrupted.
The Windows event log database contains a so called floating footer. It will be positioned at the offset where the next record will be written. This floating footer object contains metadata that is maintained in real time. If the file was not properly closed, the fields of the floating footer will not have been synched and the file status byte will be odd. When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt. This frequently occurs in forensics when you pull the plug or do a live acquisition. In that case, you'll need to repair the eventlog.
Continue reading "Explore copied eventlog with PowerShell" »
Recent Comments