Extracting Windows event logs using memory forensics
Abstract Microsoft’s Windows Operating System provides a logging service that collects, filters and stores event messages from the kernel and applications into log files (.evt and .evtx). Volatility, the leading open source advanced memory forensic suite, currently allows users to extract these even...
| Main Author: | |
|---|---|
| Format: | Others |
| Published: |
ScholarWorks@UNO
2015
|
| Subjects: | |
| Online Access: | http://scholarworks.uno.edu/td/2119 http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=3206&context=td |
| id |
ndltd-uno.edu-oai-scholarworks.uno.edu-td-3206 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-uno.edu-oai-scholarworks.uno.edu-td-32062016-10-21T17:07:33Z Extracting Windows event logs using memory forensics Veca, Matthew Abstract Microsoft’s Windows Operating System provides a logging service that collects, filters and stores event messages from the kernel and applications into log files (.evt and .evtx). Volatility, the leading open source advanced memory forensic suite, currently allows users to extract these events from memory dumps of Windows XP and Windows 2003 machines. Currently there is no support for users to extract the event logs (.evtx) from Windows Vista, Win7 or Win8 memory dumps, and Volatility users have to rely on outside software in order to do this. This thesis discusses a newly developed evtxlogs.py plugin for Volatility, which allows users the same functionality with Windows Vista, Win7 and Win8 that they had with Windows XP and Win 2003’s evtlogs.py plugin. The plugin is based on existing mechanisms for parsing Windows Vista-format event logs, but adds fully integrated support for these logs to Volatility. 2015-12-18T08:00:00Z text application/pdf http://scholarworks.uno.edu/td/2119 http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=3206&context=td University of New Orleans Theses and Dissertations ScholarWorks@UNO evtx Volatility evtxlogs.py Information Security |
| collection |
NDLTD |
| format |
Others
|
| sources |
NDLTD |
| topic |
evtx Volatility evtxlogs.py Information Security |
| spellingShingle |
evtx Volatility evtxlogs.py Information Security Veca, Matthew Extracting Windows event logs using memory forensics |
| description |
Abstract Microsoft’s Windows Operating System provides a logging service that collects, filters and stores event messages from the kernel and applications into log files (.evt and .evtx). Volatility, the leading open source advanced memory forensic suite, currently allows users to extract these events from memory dumps of Windows XP and Windows 2003 machines. Currently there is no support for users to extract the event logs (.evtx) from Windows Vista, Win7 or Win8 memory dumps, and Volatility users have to rely on outside software in order to do this. This thesis discusses a newly developed evtxlogs.py plugin for Volatility, which allows users the same functionality with Windows Vista, Win7 and Win8 that they had with Windows XP and Win 2003’s evtlogs.py plugin. The plugin is based on existing mechanisms for parsing Windows Vista-format event logs, but adds fully integrated support for these logs to Volatility. |
| author |
Veca, Matthew |
| author_facet |
Veca, Matthew |
| author_sort |
Veca, Matthew |
| title |
Extracting Windows event logs using memory forensics |
| title_short |
Extracting Windows event logs using memory forensics |
| title_full |
Extracting Windows event logs using memory forensics |
| title_fullStr |
Extracting Windows event logs using memory forensics |
| title_full_unstemmed |
Extracting Windows event logs using memory forensics |
| title_sort |
extracting windows event logs using memory forensics |
| publisher |
ScholarWorks@UNO |
| publishDate |
2015 |
| url |
http://scholarworks.uno.edu/td/2119 http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=3206&context=td |
| work_keys_str_mv |
AT vecamatthew extractingwindowseventlogsusingmemoryforensics |
| _version_ |
1718388816605085696 |