 |
Forensics Research
When existing methods are insufficient, White Oak Labs often performs original
research to solve individual cases. We develop new techniques to provide
clients more thorough, quantitative support for expert
opinions. White Oak Labs contributes such advances in forensic sciences through peer-reviewed publications and international scientific conferences.
When the tools are insufficient,
we build new tools.
Using proprietary analysis tools and techniques, our lab can provide clients highly advanced forensic services.
In this example, White Oak Labs developed new techniques in order to solve a single case involving intellectual property theft. The techniques we developed were later published in the Journal of Digital Investigation article "Automated Windows event log forensics" presented at the Digital Forensics Research Workshop in August 2007.  This journal article discusses forensic procedures for log analysis, written as a mock case study to illustrate the practical motivations for building new tools. The tools streamline efforts by integrating into a forensic automation technique, which may make such log analysis less costly, and thus more feasible for inclusion in a wider range of cases and in earlier phases of cases.
The paper examines issues that may be relevant to determinations regarding admissibility of the methods, including accuracy, error rates and scientific basis.
Download the Tool
 Fixevt.exe is a command line tool that requires no other files, and no installation. Simply download the executable and run it from the
dos prompt as shown in the section, "Using FixEvt".
Download the Paper
Extensive details on how to use Fixevt are described in this peer-reviewed article published in the Journal of Digital Investigation:
|
|
Windows Log Forensics
Fixevt is a native Windows console application (command line app) for Windows 98, 2K, XP, 2003 and Vista that repairs a
common form of event log corruption that occurs on Windows NT5 when the event  logging service
halts without properly closing the log file. This corruption is even more common for Windows logs obtained by forensic data recovery methods.
How FixEvt Works
Fixevt is a Windows command line utility that repairs corrupted log files. This utility can repair hundreds of log
files at once. Simply supply all the event log filenames as arguments on the command line.
For rapid performance on hundreds of large log files, Fixevt performs the repair by directly modifying the log file. However, Fixevt modifies the log file only if and when the file is recognized as having a corrupted file header. In this case, it locates additional metadata within the log, and uses it to repair the file's header. For forensic purposes, it is advisable to make duplicate copies of any original evidence and repair the copies.
FixEvt returns a numerical status code to the shell that indicates whether the resulting log is 'clean'.
- zero (0) indicates either that the log file was already 'clean' and did not need repair, or that FixEvt successfully repaired the log file.
- non-zero indicates FixEvt failed. FixEvt can fail when the specified log file does not exist, or the file needs repair but the up-to-date copy of the offsets cannot not be found.
Using FixEvt
To repair all of the log files in a given directory, they may be specified by a wild-card argument on the command line:
% fixevt *.evt
To see a copy of this documentation, run FixEvt with no arguments:
% fixevt
Error Messages
FixEvt writes error and status
messages to standard output as follows.
usage: fixevt SysEvent.evt
...all of this documentation....
The message above means that no filenames were supplied as arguments
on the command line.
Repair not needed: SysEvent.evt
The message above means that the file's header showed
no signs of corruption, and thus did not need
repair.
No trailer found in: SysEvent.evt
The message above means that the search for additional metadata failed, so the
header could not be repaired.
Repaired: SysEvent.evt
The message above means that the header was successfully repaired. |
