tag:blogger.com,1999:blog-5808631531257292980.post4088480019982474258..comments2014-03-11T10:32:34.793+00:00Comments on Computer Forensics and Incident Response: Billhttp://www.blogger.com/profile/15956125660689343228noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5808631531257292980.post-62159785496456879322007-05-24T07:02:00.000+00:002007-05-24T07:02:00.000+00:00Frank Heyne, author of several tools to analyze Wi...Frank Heyne, author of several tools to analyze Windows event log files, posted some interesting observations on Vista and NT style event logs: <A HREF="http://www.heysoft.de/Frames/Vista_Remarks1_en.htm" REL="nofollow">http://www.heysoft.de/Frames/Vista_Remarks1_en.htm</A>Andreashttps://www.blogger.com/profile/02037311671549040168noreply@blogger.comtag:blogger.com,1999:blog-5808631531257292980.post-72521637768167144522007-05-07T23:05:00.000+00:002007-05-07T23:05:00.000+00:00Bill,thanks a lot for your detailed description. T...Bill,<BR/><BR/>thanks a lot for your detailed description. The file seemingly consists of a header and the cursor (aka footer) records. While the header looks OK, the cursor does not. Assuming that only null bytes follow, the cursor points into empty space.<BR/><BR/>I found a similar file on my test system (the only one with IE7). The file is named Windows.evt. Again the header is OK and the cursor record seems to be garbled. The offsets and record numbers are different from yours, but mine certainly are from a different installer package (German locale).<BR/><BR/>Also the configuration in the registry is incomplete. There should be at least a "File" entry pointing to your Internet.evt. (It was missing on my system, too. I created one but I still can't get IE7 to log anything).<BR/><BR/>So obviously something went wrong during either during packaging or the installation of IE7.Andreashttps://www.blogger.com/profile/02037311671549040168noreply@blogger.com