White Oak Labs Home News Contact
motto
 
Home
Advances in Forensics
Intrusion
Prevention
Software Development
Partners
Patents
About Us
 
 
News:

AAFS 2009

IAFS 2008

HTCIA 2008

DoD CyberCrime 08

DFRWS 2007

Defcon 2007

HTCIA 2007

GMU 2007

CEIC 2007

Defcon 2003

Forensics Research and Development

White Oak Labs contributes to advances in forensic sciences through peer-reviewed publications and international scientific conferences.

Using novel analysis tools and techniques, our lab can provide clients highly advanced forensic services, such as those described here.

In the example below, our lab developed new techniques in order to solve a single case involving unauthorized transfer of intellectual property. In order to solve this case, we developed a new tool described in the Journal of Digital Investigation article "Automated Windows event log forensics" presented at the Digital Forensics Research Workshop in August 2007. This article discusses forensic procedures for log analysis in the context of a case study that illustrates the motivation for building a new tool. Forensic automation, in this case, may make log analysis techniques more cost effective, and thus feasilble for consideration in both a wider range of cases and earlier phases of cases.

The paper examines issues that may be relevant to determinations regarding admissibility of the methods, including accuracy, error rates and scientific basis. In addition, the author is available for consultation and testimony regarding such issues.

Download FixEvt Version 1.09

Fixevt.exe is a native Windows console (command line) application for Windows 98, NT, 2K, XP, 2003, and Vista that repairs a common form of corruption of Windows event logs that occurs when the event logging service stops without properly closing the log file.

Fixevt.exe requires no other files, and no installation. Simply download the executable and run it from the command line as shown below. To see this documentation, invoke it with no command line arguments.

How FixEvt Works

Note that this utility directly modifies the log file. It does so for performance. If a corrupt log file must also be preserved unmodified, one may make a copy of the log and repair the copy.

FixEvt does not modify the log file except when the log's flag indicates that the log is 'dirty', in which case it searches for duplicate information, and if found, repairs the header.

This utility will repair multiple log files. The event log filenames are the only arguments.

FixEvt returns a numerical status code to the shell that indicates whether the resulting log is 'clean'.

  • zero (0) indicates either that the log file was already 'clean' and did not need repair, or that FixEvt successfully repaired the log file.
  • non-zero indicates FixEvt failed. FixEvt can fail when the specified log file does not exist, or the file needs repair but the up-to-date copy of the offsets cannot not be found.

Using FixEvt

To repair all of the log files in a given directory, they may be specified by a wild-card argument on the command line:

% fixevt *.evt
To see a copy of this documentation, run FixEvt with no arguments:
% fixevt

Error Messages

FixEvt writes error and status messages to standard output as follows.

usage: fixevt SysEvent.evt
...all of this documentation....
The message above means that there was more or less than one argument on the command line.

Repair not needed: SysEvent.evt
The message above means that the flag in the header showed that the log was already 'clean' and did not need repair.

No trailer found in: SysEvent.evt
The message above means that the search for the up-to-date copy of the offsets failed, so the header could not be repaired.

Repaired: SysEvent.evt
The message above means that the header was successfully repaired.


Copyright © 2002-2009 White Oak Labs Inc. All Rights Reserved. TX PSB License A15996.