Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

EVTX Log Entry Finder

This script locates deleted MS Windows EVTX log records . The script works by looking for the event-log chunks that when taken with the event-log header make-up a complete EVTX log-file. The reason for not searching for individual records is that while a chunk is a self-contained entity, the records in a chunk are not—EVTX log-files use a template system in order to save space. This means that even though it's possible to find a deleted record by searching for its signature using a GREP keyword there's a good chance that what follows won't be the complete record and that some of the record's data will most likely be stored at a previous location in the associated chunk.

Having found a possible chunk the script will fabricate a virtual EVTX file in memory consisting of the chunk and a static header; it then uses EnCase's own event-log parsing functionality to parse the records in that file.

It's important to bear in mind that parsing deleted EVTX data is not without some risk—corrupt data can cause an unrecoverable error. Should this happen the console logs can help you identify the data causing the problem so that you can try and take steps to avoid parsing it.

Download Now



Version: 1
Tested with:
EnCase Forensic 7.1
Developer: Simon Key
Category: Artifact

1150 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

VSS Examiner

Quickly and easily identify and preserve data of interest in Microsoft Windows volume shadow copies.
By Simon Key
3875 Downloads
App
Artifact

SEEB USB - Mounted Devices Report

Script will create detailed Excel, CSV, console & bookmark reports on Mounted, USB, portable devices found in the registry and setupapi logs.
By Brian Jones
3645 Downloads
App
Artifact

Exif Viewer Plugin

The is a self-installing application plugin that enables the user to right-click on an Exif JPEG file in order to view and bookmark the Exif metadata that it contains.
By Simon Key
2948 Downloads
App
Artifact

Exif GPS Information Reader

Search for bookmark and decode Exif metadata with the option to view GPS Exif coordinates in Google Earth automatically.
By Simon Key
2588 Downloads
App