Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

EVTX Log Entry Finder

This script locates deleted MS Windows EVTX log records . The script works by looking for the event-log chunks that when taken with the event-log header make-up a complete EVTX log-file. The reason for not searching for individual records is that while a chunk is a self-contained entity, the records in a chunk are not—EVTX log-files use a template system in order to save space. This means that even though it's possible to find a deleted record by searching for its signature using a GREP keyword there's a good chance that what follows won't be the complete record and that some of the record's data will most likely be stored at a previous location in the associated chunk.

Having found a possible chunk the script will fabricate a virtual EVTX file in memory consisting of the chunk and a static header; it then uses EnCase's own event-log parsing functionality to parse the records in that file.

It's important to bear in mind that parsing deleted EVTX data is not without some risk—corrupt data can cause an unrecoverable error. Should this happen the console logs can help you identify the data causing the problem so that you can try and take steps to avoid parsing it.

Download Now



Version: 1
Tested with:
EnCase Forensic 7.1
Developer: Simon Key
Category: Artifact

3603 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
7449 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
141 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
98 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
84 Downloads
App