Corrupt and Shutdown Dirty EVTX Log Files: A Comparison of Recovery Using the Microsoft Event Viewer Versus Ipswitch's LogHealer Technology



Similar documents
User Guide for Creating a WhatsUp Event Logs Database on Microsoft SQL Server for Log Management v10.x

WhatsUp Event Archiver v10 and v10.1 Quick Setup Guide

WhatsUp Event Analyst v10.x Quick Setup Guide

WhatsUp Log Management Installation and Migration Guide, including Getting Started Information. (Applies to v and later)

WhatsUp Event Alarm v10x Quick Setup Guide

Stellar Phoenix. SQL Database Repair 6.0. Installation Guide

SAS 9.3 Foundation for Microsoft Windows

WhatsUp Gold v16.2 Installation and Configuration Guide

WhatsUp Gold v16.1 Installation and Configuration Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

Cloud Attached Storage

Microsoft Vista: Serious Challenges for Digital Investigations

Applying the Principle of Least Privilege to Windows 7

Installation Manual for Multi-purpose Ecological Risk Assessment and Management Tool (AIST-MeRAM) For Windows 8

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

How to Perform Data Backup for No Boot Issues? With Screenshots

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

Installation from Calyx Verifyde Download Center: Go to and log in to your account:

Web Security Log Server Error Reference

WS_FTP Professional 12 and WS_FTP Home 12. Getting Started Guide

SQL Server 2005 Advanced settings

Installation Guide - Client. Rev 1.5.0

Events Forensic Tools for Microsoft Windows

Acronis Backup & Recovery 10 Server for Windows. Workstation. Quick Start Guide

STATISTICA VERSION 11 CONCURRENT NETWORK LICENSE WITH BORROWING INSTALLATION INSTRUCTIONS

Windows 7. Tips and Tricks. Scott Sekinger

Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors. By Ipswitch, Inc. Network Managment Division

Hands-On Microsoft Windows Server 2008

Database Administration Guide

Failover Manager for WhatsUp Gold v16.0 Quick Start Guide

Where can I install GFI EventsManager on my network?

SWCS 4.2 Client Configuration Users Guide Revision /26/2012 Solatech, Inc.

Baseline Reports in WhatsUp Gold v11

Stellar Phoenix. Access Database Repair 5.0 Installation Guide

Maintaining a Microsoft Windows Server 2003 Environment

Installation Instruction STATISTICA. Concurrent Network License with Borrowing Domain Based Registration

Hands-On Microsoft Windows Server Chapter 12 Managing System Reliability and Availability

Solution to the problem

How to protect, restore and recover Exchange 2003 and Exchange 2007 databases

Sage 100 ERP Intelligence. Citrix Environment Installation Guide

SOS Suite Installation Guide

Database Administration Guide

Sophos Endpoint Security and Control How to deploy through Citrix Receiver 2.0

MFR IT Technical Guides

WhatsVirtual for WhatsUp Gold v16.0 User Guide

Using. Microsoft Virtual PC. Page 1

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Maintenance Guide. Outpost Firewall 4.0. Personal Firewall Software from. Agnitum

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Scan to SMB(PC) Set up Guide

BEST PRACTICES: EVENT LOG MANAGEMENT FOR SECURITY AND COMPLIANCE INITIATIVES IN THE EUROPEAN UNION. By Ipswitch, Inc. Network Managment Division

How to protect, restore and recover SQL 2005 and SQL 2008 Databases

Exam : Transition Your MCTS on SQL Server 2008 to MCSA: SQL Server 2012, Part 2. Title : The safer, easier way to help you pass any IT exams.

How to Restore a Windows System to Bare Metal

Do I need to install anything on my computer to use the VC?

Setup and configuration for Intelicode. SQL Server Express

Centralized Auditing in Windows Derek Melber

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

SafeGuard Enterprise Web Helpdesk

Paragon Recovery Media Builder

What is WS_FTP? How WS_FTP Works

What is Aconex Local Copy? Controlling Access to a Datastore Hardware Requirements Software Requirements Installing Aconex Local Copy Troubleshooting

5nine V2V Easy Converter

WhatsUp Event Archiver v10.x User Guide

Using Virtual Drive for Exchange mailbox restore

Understand Troubleshooting Methodology

As you look at an imac you will notice that there are no buttons on the front of the machine as shown in figure 1.

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

Installing and Configuring WhatsUp Gold

Windows BitLocker Drive Encryption Step-by-Step Guide

LexisNexis CaseMap-WorkSite Plug-In ReadMe

WA1625 Web Services Development Using WebLogic Server v10. Classroom Setup Guide. Web Age Solutions Inc. Copyright 2012 Web Age Solutions Inc.

Installation Instruction STATISTICA Enterprise Small Business

Southern Maine Community College Computer Technology Professor Howard Burpee. Installing Windows 7

Windows 7 Hard Disk Recovery

User Installation Guide for SAS 9.1 Foundation for 64-bit Microsoft Windows

Online Transaction Processing in SQL Server 2008

Ad Hoc Transfer Plug-in for Outlook Installation Guide

WhatsUp Event Analyst v10.x User Guide

Quick Start Guide: Cluster Shared Volume

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Global Server Installation Guide

Managing Documents in the Citrix XenApp Remote Desktop

Windows 2003 Server Installation Guide

How to Install and Setup IIS Server

Citrix EdgeSight for Load Testing Installation Guide. Citrix EdgeSight for Load Testing 3.8

How Drive Encryption Works

Log Server Error Reference for Web Protection Solutions

SELF SERVICE RESET PASSWORD MANAGEMENT BACKUP GUIDE

Ekran System List of Frequently Asked Questions

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Features Overview Guide About new features in WhatsUp Gold v14

How To Restore Your Data On A Backup By Mozy (Windows) On A Pc Or Macbook Or Macintosh (Windows 2) On Your Computer Or Mac) On An Pc Or Ipad (Windows 3) On Pc Or Pc Or Micro

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

TrueEdit Remote Connection Brief

Transcription:

Corrupt and Shutdown Dirty EVTX Log Files: A Comparison of Recovery Using the Microsoft Event Viewer Versus Ipswitch's LogHealer Technology As the Microsoft Windows Vista, Windows Server 2008, and Windows 7 operating systems become increasingly more widely adopted, so too does their new logging format, the EVTX log file. Properly saved EVTX log files can typically be opened without issue in the Microsoft Windows Event Viewer or a third-party tool like WhatsUp Event Analyst or WhatsUp Event Rover. However, corrupt and/or "shutdown dirty" EVTX files raise a serious issue for the network administrator or a forensic examiner tasked to view their contents. In some, but not all cases, the Microsoft Event Viewer in Windows Vista and Windows Server 2008 can open an EVTX file reclaimed from a shutdown dirty system, such as from a computer where the "plug was pulled" to start a forensic investigation. However, the Microsoft Event Viewer attempts to repair data elements in the file without prompting or confirming this action with the user of the program. This behavior is reproduced readily and shown below in the series of screenshots: Figure 1 - An application EVTX log from a machine that was shutdown dirty. Notice the date modified timestamp of June 16 th, 2009. 1

Figure 2 - The Microsoft Event Viewer on Windows Vista has started. The application EVTX log file can now be opened and read by the Microsoft Event Viewer program. Figure 3 - A return to Windows Explorer shows that the Date Modified timestamp of the file has changed to the current date, July 16 th, 2009. The Microsoft Event Viewer modified the EVTX file with no prompting or notice to the administrator! 2

Obviously, this raises serious implications regarding evidence management and could ultimately compromise an otherwise well-conducted investigation. Ipswitch has pioneered a new approach to the recovery of corrupt and shutdown dirty EVTX log data that is refered to as LogHealer Technology. WhatsUp Event Rover is the first solution featuring this technology, which is incorporated into other WhatsUp Log Management products. Rather than attempting to modify the original source file, when LogHealer detects a corruption in an EVTX file, it first prompts the administrator to repair it in a new location, so that the original file remains unmodified. This is shown in the next series of screenshots below: Figure 4 WhatsUp Event Rover is preparing to load the shutdown dirty Application EVTX file into memory. Because the log file is from a foreign network, we are electing to load log metadata from an alternate computer. 3

Figure 5 - LogHealer detects corruption in the EVTX file, and is prompting the administrator to perform a repair into a new file, leaving the original file unmodified. Figure 6 - LogHealer makes the repairs in a new file on disk, and WhatsUp Event Rover now loads log records from the repaired file into memory. 4

Figure 7 - Windows Explorer shows the original file's Date Modified timestamp unchanged, with the new repaired version next to it in the same folder. In some cases, Microsoft Event Viewer cannot open a corrupted log file, and instead displays the following dialog: While LogHealer technology remains in its infancy, we are pleased with its current ability to repair some log files that the Microsoft Event Viewer cannot, as well its ability to do so in a non-destructive manner. As the EVTX logging format becomes more widely adopted, we look forward to working with end users, network professionals, and forensic examiners to expand and improve upon this technology. Correspondence with Ipswitch's support and development team, as well as the submission of corrupt log files, are always welcome at http://www.whatsupgold.com/support. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information