Research Article
A Novel File Carving Algorithm for EVTX Logs
@INPROCEEDINGS{10.1007/978-3-319-73697-6_7, author={Ming Xu and Jinkai Sun and Ning Zheng and Tong Qiao and Yiming Wu and Kai Shi and Haidong Ge and Tao Yang}, title={A Novel File Carving Algorithm for EVTX Logs}, proceedings={Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings}, proceedings_a={ICDF2C}, year={2018}, month={1}, keywords={Windows forensics Windows XML event logs EVTX Files File carving Fragmented files}, doi={10.1007/978-3-319-73697-6_7} }- Ming Xu
Jinkai Sun
Ning Zheng
Tong Qiao
Yiming Wu
Kai Shi
Haidong Ge
Tao Yang
Year: 2018
A Novel File Carving Algorithm for EVTX Logs
ICDF2C
Springer
DOI: 10.1007/978-3-319-73697-6_7
Abstract
The Microsoft Windows system provides very important sources of forensic evidence. However, few attention has been paid to the recovery of the deleted EVTX logs. Without using system metadata, a novel carving algorithm of EVTX logs is proposed by analyzing the characteristics and intrinsic structure. Firstly, we reassemble binary data belonging to fragments of complete EVTX logs to reconstruct the deleted logs. Secondly, extracting records for the corrupted logs can make the algorithm robust through the special features of template and substitution array. Finally, some experiments are given to illustrate the effectiveness of the proposed algorithm. Moreover, when the logs are fragmented or corrupted, our algorithm can still perform well.