Taking snapshots is one of the great new features in the Forensic Edition. Whenever you need to save a set of events for future analysis, you can take a snapshot and then load it without access to the original log or log file. Snapshots are like event log backups, but there are some differences.
While backups work with the entire event log (or in some cases with event logs, filtered by an XML query), you can take a snapshot from a log view or even from separate events. Backing up from remote computers could be painful because it’s linked with extra administration tasks like sharing resources and granting permissions. Unlike backups, you can take snapshots much easy. It’s just like event export, but you can load the snapshot and work with it as you work with an event log file. Also, you can optionally save the current time zone and custom fields into the snapshot. Note that the snapshots contain the rendered descriptions and task category name. You don’t need to have specific components (dll or exe files) on your computer to display the text correctly.
Some situations when snapshots may help you:
- You connected to a remote computer, opened an event log and want to save it locally.
- You opened a large log file, filtered events and you want to continue working with these events only. It is always easier to work with smaller files — filtering and sorting operations are faster.
- You opened an event log and have concerns about some events. You can bookmark these events and save them as a snapshot. Then you can send this snapshot to another person for research.
- You merged different logs from different computers in one log view and want to save it as one file for further exploring.
It is very easy to take and load snapshots with Event Log Explorer.
To take snapshot from the active log view, select Forensics->Take snapshot from the main menu and click OK button.
To load snapshot, select Forensics->Load snapshot from the main menu.