Extracting Windows event logs using memory forensics

Author

Matthew Veca, University of New OrleansFollow

Date of Award

Fall 12-2015

Degree Type

Thesis-Restricted

Degree Name

M.S.

Degree Program

Computer Science

Department

Computer Science

Major Professor

Dr. Golden Richard

Second Advisor

Dr. Vassil Roussev

Third Advisor

Dr. Irfan Ahmed

Abstract

Abstract Microsoft’s Windows Operating System provides a logging service that collects, filters and stores event messages from the kernel and applications into log files (.evt and .evtx). Volatility, the leading open source advanced memory forensic suite, currently allows users to extract these events from memory dumps of Windows XP and Windows 2003 machines. Currently there is no support for users to extract the event logs (.evtx) from Windows Vista, Win7 or Win8 memory dumps, and Volatility users have to rely on outside software in order to do this. This thesis discusses a newly developed evtxlogs.py plugin for Volatility, which allows users the same functionality with Windows Vista, Win7 and Win8 that they had with Windows XP and Win 2003’s evtlogs.py plugin. The plugin is based on existing mechanisms for parsing Windows Vista-format event logs, but adds fully integrated support for these logs to Volatility.

Rights

The University of New Orleans and its agents retain the non-exclusive license to archive and make accessible this dissertation or thesis in whole or in part in all forms of media, now or hereafter known. The author retains all other ownership rights to the copyright of the thesis or dissertation.

Recommended Citation

Veca, Matthew, "Extracting Windows event logs using memory forensics" (2015). University of New Orleans Theses and Dissertations. 2119.
https://scholarworks.uno.edu/td/2119