Deep Scan lets you extract events from any file or disk. You can use it to find events in highly damaged event log files, deleted log files, logical or physical disks or disk images you cannot to mount. Event Log Explorer scans file or disk byte by byte and looks for the Event Log Chunk signature (ElfChnk). When it finds ElfChnk signature, it verifies if the next 65536 bytes of the scanned source represent an event chunk and tries to extract events from it. This lets you extract events from virtually any source provided that it is not encrypted. When you want to scan a logical or a physical drive, you may need to start Event Log Explorer elevated or you may get the Access-denied error. If you have an encrypted disk or image, you should either decrypt it or mount it to get access to the disk content.

 

To start scanning of a file or a disk, select Forensics->Deep Scan from the main menu.

Scan file - input name of the file to scan. It could be evtx file or any other file including disk image.

Scan disk - input a logical or a physical name of the disk to scan.

Event loading criteria - lets you filter events by scanning. E.g. if you want to scan only for Security events, click Events matching criteria click Add near the Channel names box and type Security in the Input channels name dialog.

 

If you scan an entire disk or a disk image, this operation may take long time.