TABLE OF CONTENTS Many times, an examination of the Windows Event Log event records will provide some very useful information that may affect your investigation. The Event Log is capable of holding a fairly amazing array of information, from records of failed attempts to login into the system to the system being shutdown and rebooted. When working with the Event Log on a live system, most folks will interface with it through the EventViewer. One of the techniques that a forensic analyst may use to analyze an Event Log during an investigation is to extract the file from within the image and then attempt to open the log in the Event Viewer on their analysis system. However, this does not always work many analysts have reported receiving an error message stating that the Event Log is corrupt . This message is reported by the Windows API so what if, like the Registry, we can parse the contents of the Event Log files without using the API?
Evt2xls.pl is a Perl script that I developed over time, and have found it to be extremely useful. I started with a simple script that parsed through the .evt file in binary mode, and retrieved event records for me, writing them out to the console. This got to be somewhat cumbersome over time, as there was more that I wanted to do with the script, so I wrote a module to encapsulate and hide the routines I d been writing. From there, I...
