Skip to main content
Conference Proceedings

A novel file carving algorithm for EVTX logs

Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST (2018) 216 97-105
DOI: 10.1007/978-3-319-73697-6_7
3Citations
Citations of this article
7Readers
Mendeley users who have this article in their library.
Get full text

Abstract

The Microsoft Windows system provides very important sources of forensic evidence. However, few attention has been paid to the recovery of the deleted EVTX logs. Without using system metadata, a novel carving algorithm of EVTX logs is proposed by analyzing the characteristics and intrinsic structure. Firstly, we reassemble binary data belonging to fragments of complete EVTX logs to reconstruct the deleted logs. Secondly, extracting records for the corrupted logs can make the algorithm robust through the special features of template and substitution array. Finally, some experiments are given to illustrate the effectiveness of the proposed algorithm. Moreover, when the logs are fragmented or corrupted, our algorithm can still perform well.

Author supplied keywords

Cite

CITATION STYLE

APA

Xu, M., Sun, J., Zheng, N., Qiao, T., Wu, Y., Shi, K., … Yang, T. (2018). A novel file carving algorithm for EVTX logs. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST (Vol. 216, pp. 97–105). Springer Verlag. https://doi.org/10.1007/978-3-319-73697-6_7

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free