In this article, I will show how to work with damaged event log files. Event Log Explorer forensic edition can extract events from damaged files.
Let’s take a log file (e.g. a security log file) and open it with Event Log Explorer using File-> Open Log File.
Event Log Explorer opens this file as it always does.
Now we will intentionally corrupt this log. I will modify several bytes (commonly, it’s enough to change only 1 bit) with any hex editor. It is not necessary that someone may damage an event log – it’s not easy, but such issues may occur because of technical defects like hardware failures, driver errors, etc.
Now if you try to open this event log file, Event Log Explorer will display zero events:
You can see a red sign near the navigation buttons. If you hover your mouse over this sign, you will see a message “The event log file is corrupted”.
A similar problem occurs if you open this log in Windows Event Viewer:
Event Viewer cannot open the event log or custom view. Verify Event Log service is running or query is too long. The event log file is corrupted (1500).
However, it’s still possible to read events from this log file!
Select Forensics->Forensic Open File and change File Access Method to Direct Access Method.
This feature will open your log file!
Note that in my case, it displays fewer events than it displayed for the original event log, but this is better than 0 events anyway.
Let’s make more changes to the log and fill the first 8K with random bytes.
If you try to open it using Direct method as before, Event Log Explorer will fail to open it. However, you can use Deep Scan option. Open Forensic->Deep Scan, select your file and press OK.
Event Log Explorer will scan your files for events.
You can use deep scan not only for event log files. You can scan disk images including virtual disks or even physical or logical disks.
Deep scan may help you to find more events even if you have undamaged event log files. E.g. if a log was cleared, you can still find cleared events on the disk if they were not overwritten.
Download Event Log Explorer Forensic Edition and try Deep scan and Direct file access options with your files!