Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Workarounds for Windows Event File corruption

from [Jeff Bryner] Network Security [Permanent Link]
Subject: Workarounds for Windows Event File corruption
Date: Fri, 7 Jan 2005 10:14:59 -0800 (PST) 
I'm working on a case where I'd like to get time stamp info out of a
windows application event log (AppEvent.evt). 

If I copy the file to another windows box and open it via event viewer
I get the dreaded message about the file being corrupted. 

Web searches all lead to support articles suggesting deletion of the
file to recover..obvioulsy not my solution. 

I can strings -el the file and get the descriptions of the events but I
*really* want the time stamp associated with the entries. 

I've tried hex editing the file manually to match the header/footer to
what I'm seeing in other working event log files, but I haven't found
the right combination yet. 

Ideally I'd like to be able to open it on another windows box and
capture screen prints of the events. 

Any clues from this group? 

Thanks,

Jeff.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Contest for a trip to CanSecWest/core05, Philippe Biondi
Next by Date:  RE: Workarounds for Windows Event File corruption, dave kleiman
Previous by Thread:  Contest for a trip to CanSecWest/core05, Philippe Biondi
Next by Thread:  RE: Workarounds for Windows Event File corruption, dave kleiman
Indexes:  [Date] [Thread] [Top] [All Lists]