This script locates deleted MS Windows EVTX log records.

The script works by looking for the event-log chunks that, when taken with the event-log header, make-up a complete EVTX log-file.

The reason for not searching for individual records is that whilst a chunk is a self-contained entity, the records in a chunk are not: EVTX log-files use a template system in order to save space.

Although it's possible to find a deleted record using its **\x00\x00" GREP header, there's a good chance that what follows won't be the complete record: some of the record's data will most likely be stored at a previous location in the associated chunk.

Having found a chunk and validated the CRC32 value of the data it contains, the script will fabricate a virtual EVTX file consisting of the chunk and a static header; it will then use EnCase's own event-log parsing functionality to parse the records contained therein.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training