Event Log Explorer Forensic Edition simplifies working with disk images. When you examine logs from a disk image without using Event Log Explorer Forensic Edition, you should either extract files located in \Windows\System32\winevt\Logs\ from the image or mount this image and access these files. In both cases, you open evtx files, but you see only the information saved in this evtx files. The viewer may not display event descriptions, task categories or user names unless it can render it locally. E.g. if you open a security log file, your local computer commonly contains the required components to render the task category and event description. As for the user name, it is commonly set to N/A for Security log.
However, if you open an application or other event logs, you can find that event description for some events could not be found, task category displays a number in parentheses and user name displays a user SID e.g. S-1-5-21-2251232950-2328508685-887570584-1001.
To fix these rendering problems, Event Log Explorer lets you access your disk as you access a live computer.
First, if you work with a disk image, you should mount your image as a disk.
To add Imaged Computer to the tree, select Forensics->Add imaged computer from the main menu.
Windows root folder - specify the path to Windows folder on the examined disk. Event Log Explorer tries to detect this path automatically.
Friendly name of PC - specify the name of the PC as it will be displayed in the tree.
The new imaged computer will be added to the tree and you can work with it exactly like you work with a local computer. When you work with the imaged computer, Event Log Explorer will emulate Event Log Service and resolve description, category and user name.