Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer
Enfuse 2018 | May 21- 24
Learn More

EVTX Log Entry Finder

This script locates deleted MS Windows EVTX log records . The script works by looking for the event-log chunks that when taken with the event-log header make-up a complete EVTX log-file. The reason for not searching for individual records is that while a chunk is a self-contained entity, the records in a chunk are not—EVTX log-files use a template system in order to save space. This means that even though it's possible to find a deleted record by searching for its signature using a GREP keyword there's a good chance that what follows won't be the complete record and that some of the record's data will most likely be stored at a previous location in the associated chunk.

Having found a possible chunk the script will fabricate a virtual EVTX file in memory consisting of the chunk and a static header; it then uses EnCase's own event-log parsing functionality to parse the records in that file.

It's important to bear in mind that parsing deleted EVTX data is not without some risk—corrupt data can cause an unrecoverable error. Should this happen the console logs can help you identify the data causing the problem so that you can try and take steps to avoid parsing it.

Download Now



Version: 1
Tested with:
EnCase Forensic 7.1
Developer: Simon Key
Category: Artifact

801 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

Windows Installed Application Parser

Parses installed-application information and displays it in a manner similar to Microsoft Windows.
By Simon Key
391 Downloads
App
Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
353 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
342 Downloads
App
Artifact

Search For Valid Bitcoin Addresses

This EnScript searches entries and records for valid BitCoin addresses.
By Simon Key
247 Downloads
App