FixEvt is a tool for automating the recovery and analysis of Windows NT5 (XP and 2003) event logs, primarily for computer forensics. It is described in the Journal of Digital Investigation article "Automated Windows event log forensics" presented at the Digital Forensics Research Workshop in August 2007. It is based in part on manual method described by Stephen Bunting. The article discusses forensic procedures and discusses log analysis methods in the context of a case study that illustrates the motivation for the tool.
This tool was initially developed to meet immediate needs of computer forensic engagements. It was developed to fill a gap between capabilities of other freely available tools that can be used to recover and correlate large volumes of log events, and thus be used to enhance the search for correlations with various other kinds of Windows artifacts.
Automating recovery, repair, and correlation of multiple logs is intended to make these methods more feasible for consideration in both a wider range of cases and earlier phases of cases, and hopefully, in turn, standard procedures.
The paper examines issues that may be relevant to determinations regarding admissibility of the methods, including accuracy, error rates and scientific basis. In addition, the author is available for consultation and testimony regarding such issues.
沒有留言:
發佈留言