Forensic scientist’s blog

Rappel des faitsEn avril dernier, La BCZ s'est trouv?e sous le feu de la critique pour avoir aid? l'oligarque russe Viktor Vekselberg et les investisseurs autrichiens Ronny Pecik et Georg Stumpf ? prendre une participation dans Sulzer, alors m?me q...

By Andreas Schuster
Copyright © 2007 int for(ensic){blog;}. All rights reserved.

ACM SIGOPS is soliciting the submission of papers for its Operating Systems Review. This special issue will be dedicated to computer forensics, especially with the upcoming arts of live forensics and the analysis of volatile data.

The call for paper closes on December 1st, 2007.

(via Bradley Schatz)

For a few years I've been trying to figure out how to pierce the blue wall to bridge the gap between law enforcement (government, state and local) such that people like myself can actually do some good with their skills. Why? Well when in school, afte...

This is hot off of the presses and quite interesting:
�http://news.yahoo.com/s/ap/20070716/ap_on_bi_ge/workers_drug_use

I am starting to think that "network forensics" is going to quickly become the next "big thing"(TM) in the digital forensics discipline. Well, what is network forensics? by definition:Network forensics is the capture, recording, and analysis of networ...

by team uab, lswA research team from the International Group for Historic Aircraft Recovery (TIGHAR) is en route to the South Pacific island of Nikumaroro, where some believe Amelia Earhart and Fred Noonan may have become stranded in 1937:Once at the 2...

As I've been developing the methodology I talked about previously , one of the problem areas that's arisen is determining system impact. One component of impact is determining memory consumption. There's a lot of work to be done here because of the c...

I am glad you have found your way to visit this specialty blog � one that is dedicated to the discussion of the vast disciplines of the forensic sciences. This public forum intends to be a conduit for exchanging information on many topics that will interest forensic science professionals, law practitioners and enforcers, and folks [...]

Over the past few weeks, a few things have been on my mind that have me conflicted. It started with a conversation over a birthday meal for a pharmacist friend of mine with some of her colleagues in attendance. We were at Gainesville’s Mediterranean lounge and cafe, Farah’s, relaxing over a meal of [...]

By Andreas Schuster
Copyright © 2007 int for(ensic){blog;}. All rights reserved.

This article documents the structure of a single event record within a Vista Event Log (.evtx) file. The event records go one by one, following the chunk header.

The event record starts with a magic string, two asterisks followed by two null bytes. It is framed by matching length indications. They state the whole record's size, from the magic string to the trailing length indicator. This is similar to the record structure of the old NT event logging service. The length indications at the beginning and at the end of an event record allow the logging service to traverse the chain of records efficiently in both directions.

NumLogRecord states the record number, relative to the log channel. The log channel may consist of several log files which are consecutively written to.

TimeCreated tells the date and time when the record was created. The timestamp is given as a FILETIME, that is in units of 100 nanoseconds since 1601-01-01T00:00:00.

The following BinXmlStream contains the logged information. This is a complex stream, consisting of XML data, which has been encoded in a proprietary binary format. The encoding scheme will be the subject of several subsequent postings.

Both, the record number and the timestamp, are also given within the binary XML stream. Seemingly they are repeated outside of the complex binary XML stream in order to allow the event logging service to sort and filter records by number or time efficiently.