Access event logs from Windows recovery mode

Sometimes this happens. Your computer stops booting correctly and needs to be fixed. Even safe mode doesn’t help. You don’t know the reason of the fault – it may be a hardware failure or a driver bug, but you don’t want to reinstall the operating system. There is a good chance that Windows logs may contain some useful information for troubleshooting. However, you cannot boot… Read More »

Filtering all the way

You probably read in the documentation that Event Log Explorer provides 5 ways to filter events. In this article, I will try to explain when you should use one or the other way of filtering. First, we can arrange filters on applying time: Pre-load filter. This filter applies to the event log before loading. Only the required events will be loaded. On-load filter. This filter… Read More »

Saving event logs to one event log file

When working with event logs, you may find that you have dozens of saved event log files, which you need to review sometimes. And it’s annoying to open each log to check it. Of course, you can open all these files at once (“Open log file” dialog lets you open multiple files) or you can just drag your files from Windows Explorer into Event Log… Read More »

Process tracking with Event Log Explorer

When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use… Read More »

Automating event log backup

Recently we received a question from our customer who asked about regular backing up of system and application event logs. He wanted to backup only local logs, but let’s extend the task for remote logs as well. So our task is to backup System and Application event logs from a local computer and remote machine (SERV1) into a folder two times a week. Let’s try… Read More »

Tracking down who removed files

Let’s assume you have a shared folder on a server which is accessible by all employees in your company. The users commonly copy some documents into this folder to let the others to work with these shared documents. One day you discover that some files unexpectedly disappeared from the shared folder. Usually this means that someone deleted these files (consciously or unconsciously). Now we need to… Read More »

Windows boot performance diagnostics. Part 2

If you read the previous part of this article, you already know what Microsoft-Windows-Diagnostics-Performance log is for, why similar events have different event types and what information is “hidden” in the event details. Now it’s time to practice. First, we need to decide what we will try to optimize. Let’s display only startup, shutdown and standby/resume events. The event IDs are 100, 200 and 300… Read More »

Windows boot performance diagnostics. Part 1

Have you ever seen that your computer starts booting slowly? Or it slowly restores its state from hibernation. Maybe you observe performance issues when shutdown or hibernate process? In this article, I will show you how you can use Event Log Explorer to find performance problems linked with the startup/shutdown/hibernate/resume processes. Starting from Windows Vista, Microsoft provides a bunch of event logs for different system… Read More »

9 Vendors of Digital Forensics You May Have Missed. Part 2

In the previous post we talked about 010 Editor, Event Log Explorer, ElcomSoft and Oxygen forensic solutions. In this blog post, we continue the brief review of prominent forensic tools. Next on our list is Belkasoft. Belkasoft Evidence Center 2016 Belkasoft Evidence Center is an all-around forensic solution to pinpoint, extract and review digital evidence stored on desktop computers, laptops and mobile devices. The Belkasoft product… Read More »

Event Log Explorer Forensic Edition Preview

Several days ago, we published a preview of the new edition of Event Log Explorer software – Forensic Edition! Here I will show what benefits you can get from this edition. First, I should say that currently it is fully compatible with the standard edition of Event Log Explorer – it uses the same workspace, the same settings and currently the same registration key. By… Read More »