Restoring Files With Event Logs (Windows XP/2003)

If a file on Windows XP/2003 says it can’t be opened, a user may be able to restore the file by repairing event log entries. In the case of a SysEvent.evt copy, we could use WinHex or another event log viewer to locate byte offset 36 and change it to 0x08. Next, we would duplicate the contents from the floating footer and paste them into the analogous fields in the header. To accomplish this, we would search for the corresponding hex strings and restore the fields of the event log. In this demonstration, we would search for the string 0x11 0x11 0x11 0x11 and identify the byte proceeding 0x28 0x00 0x00 0x00 0x11 0x11 0x11 0x11 0x22 0x22 0x22 0x22 0x33 0x33 0x33 0x33 0x44 0x44 0x44 0x44. Afterwards, we would copy the parallel fields of the identified byte along with that of the next 15 bytes. Finally, we would paste the contents to the header. Consequently, the copy of the file should be rendered readable.

That said, investigators must prepare to work with older operating systems because many legacy OSs are still abundant in the field. Windows XP/2003 are still used enough that the writers found this example necessary to teach. In 2014, it was revealed that approximately a third of GE Intelligent Platforms customers used XP. Furthermore, in the same year, it was disclosed that 75% of water utility companies used XP despite the number of vulnerabilities XP has suffered from. The next year, 250 million users were found to still operate XP. Considering the additional fact that Microsoft no longer supports XP, forensic investigators should expect to deal with incidents involving this operating system. It’s easy for hackers to use it as an attack vector.

Viewing WinHex:




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s