![\"\"](\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2022\/05\/EventViewer-Hide-Logon-4624.png\")
<\/a><\/p>\nClick \u201cSave Filtered Log File As\u201d and save it as EVTX file.<\/p>\n
Voila, you have a new event log file with removed events. You can open it with Event Viewer or Event Log Explorer and don\u2019t even expect that it\u2019s not an authentic event log. Of course, a real malefactor should replace a live event log with the forged one, but it\u2019s not an impossible task. If s\/he has a physical access to the computer, it\u2019s possible to replace C:\\Windows\\System32\\WinEvt\\Logs\\Security.evtx by loading the computer in recovery console. It\u2019 much harder to forge the log remotely, but still possible by exploiting system vulnerabilities (e.g \u201cVault 7\u201d hacking tool set lets you exploit such vulnerabilities and remove events).<\/p>\n
And how can we detect if the examined event log file misses events? We discovered that Event Viewer (more accurately Event Log API) just copies the events into a new file as is. So, all events in the new log file will have the same record number as they had in the original event log. If we scan all the events, we can easily detect missed record numbers.<\/p>\n
This functionality is implemented in Event Log Explorer Forensic Edition. Select Forensics from the main menu, click Forensic Open File, add your files by clicking Add button and enable option \u201cCheck log files for deleted events\u201d. You will have the list of potentially deleted events.<\/p>\n
You may be wondering if it is possible to forge an event log in such a way that it will fix the record numbers making it indistinguishable from non-edited log. It was easy for legacy evt logs, but very hard for the modern evtx event logs. I cannot state that it\u2019s impossible, however I never seen any tools or a sample code that can do such tricks. That\u2019s why I believe that Event Log Explorer can detect events deletion in event logs.<\/p>\n Download Event Log Explorer Forensic Edition<\/a> and check if your log files have no deleted events!<\/p>\n Although Standard Edition of Event Log Explorer works with event log files perfectly, you may need more functionality when analyzing damaged or intentionally modified event log files. I\u2019m starting a series of articles about the advanced use of Event Log Explorer Forensic Edition with files. Let\u2019s imagine that you examine an event log with removed events. If you believe that it\u2019s impossible to remove events\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":534,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[40,7],"tags":[51,67,49],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/531"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=531"}],"version-history":[{"count":3,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/531\/revisions"}],"predecessor-version":[{"id":537,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/531\/revisions\/537"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/534"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\n<\/a><\/a><\/a><\/a><\/a><\/a>","protected":false},"excerpt":{"rendered":"