This script locates deleted MS Windows EVTX log records . The script works by looking for the event-log chunks that when taken with the event-log header make-up a complete EVTX log-file. The reason for not searching for individual records is that while a chunk is a self-contained entity, the records in a chunk are not—EVTX log-files use a template system in order to save space. This means that even though it's possible to find a deleted record by searching for its signature using a GREP keyword there's a good chance that what follows won't be the complete record and that some of the record's data will most likely be stored at a previous location in the associated chunk.

Having found a possible chunk the script will fabricate a virtual EVTX file in memory consisting of the chunk and a static header; it then uses EnCase's own event-log parsing functionality to parse the records in that file.

It's important to bear in mind that parsing deleted EVTX data is not without some risk—corrupt data can cause an unrecoverable error. Should this happen the console logs can help you identify the data causing the problem so that you can try and take steps to avoid parsing it.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training