The Research On Recovery And Forensics For Windows EVTX Logs

In the Microsoft Windows operating system,EVTX logs record events occurring in system or software.Because EVTX logs can be used to discover clues of a crime,Windows log forensics has become one of research hotspots in the field of computer forensics.Recovering deleted logs is an important part of log forensics,but there has been relatively few papers published for file recovering of the EVTX logs.Based on file carving technology,this paper researches how to recover the removed EVTX logs without system metadata.First of all,there is very little documentation available describing the log format and the source code of EVTX logs.It is difficult for us to analyze the characteristics of file structure and meaning of fields with only binary data.And this paper illustrates the relationship of file fragments,which is the basis of recovery algorithm.Secondly,we propose two recovery algorithms based on file header for resolving the dependence of system metadata.In order to recover the fragmented EVTX logs,a recovery algorithm based on characteristics of file structure is proposed.The clusters belonging to EVTX logs are pinpointed when scanning the whole system image by the characteristics of file structure.Discriminators and reassembly algorithm are designed to reorder and merge file fragments for getting complete chunks.Only the complete chunks can be used to generate EVTX logs.The experiments demonstrate that our algorithm can restore EVTX logs of different Windows operating system.When accuracy rate is 100%,the lowest recovery rate is 85%.Since EVTX logs have three types of checksum to verify the integrity of a log file,any corruption results in that a log cannot be open by Windows.So a corrupted log file will make its file fragments not be merged.For reconstructing the data of binary XML,this paper research the proprietary binary encoding of XML of Windows to find the relationship between substitution array and XML template.The only way to collect information of corrupted logs is to match original XML template and store generated plain text XML in other format files(e.g.text file).The experiments demonstrate that this method can improve recall rate and F-value.When accuracy rate is 98%,the lowest recovery rate can be up to 95%.The experiments also demonstrate that we can recover the records from the rest part as much as possible,because the sum of accuracy rate and recall rate is always nearly 100%.In summary,the recovery technology based on characteristics of file structure can resolve the problem of metadata dependence and file fragmentation.In addition,we research binary XML technology to recover the records from the rest part as much as possible when the log file is partly overwritten.