I was trying to use photorec 6.13 (windows 7 64 bit and 32 Bit both ) and trying to recover event logs win7 event logs are evtx file soI used the wvutil tool to convert them into evt . Then I delete them and run Photorec but its does not show up .jpg and other formats work fine
My question is that is this supported as of now in PhotoRec . and Windows 7 . The strange aspect was when I tried to run fidentity it showed evt file as :unknown . Any idea what might be wrong . Or is there any flag /debug /log which I can turn on and find useful Info .
Thanks for your time
Regarding windows evt File
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Re: Regarding windows evt File
Did you add your extension/file type using fidentify for your session?
http://www.cgsecurity.org/wiki/Add_your ... o_PhotoRec
If you recover files, in your first folder recup_dir.1 you'll find a report.xml-file which provides info.
Current versions don't create a log anymore.
If you want to run with /log /debug you can do the following;
Run your command prompt as an administrator.
Go to Start.
Write cmd in search programs and files.
Press both, the Ctrl-key and Shift and press enter.
Confirm to proceed your command prompt as administrator.
At the prompt, write; and press space.
Copy the path to your TestDisk-folder.
Example;
Write .
http://www.cgsecurity.org/wiki/Add_your ... o_PhotoRec
If you recover files, in your first folder recup_dir.1 you'll find a report.xml-file which provides info.
Current versions don't create a log anymore.
If you want to run with /log /debug you can do the following;
Run your command prompt as an administrator.
Go to Start.
Write cmd in search programs and files.
Press both, the Ctrl-key and Shift and press enter.
Confirm to proceed your command prompt as administrator.
At the prompt, write;
Code: Select all
cdCopy the path to your TestDisk-folder.
Example;
Code: Select all
C:\Users\Fiona\Downloads\testdisk-6.14-WIP.win\testdisk-6.14-WIPCode: Select all
photorec_win.exe /log /debugRe: Regarding windows evt File
Thanks Fionna ,
Thats very helpful tips . The problem was however different . Any I never guessed it could happen
MS has this tool called wvutil which can convert evtx to evt .But that conversion is bogus as it does not change the header info . Their tool LogParser is able to detect it becuase prob it does not care for this
info . Photorec never detects it as the Header is still EVTX and evtx support is not there
This is evtx format only .
When I take a file from Windows XP it works
Verified Photorec source code
BTW .I am writing a parser for evtx . Hopefully should be able to add some contribution to the great Open source community Here are some changes I have to do file_evt.c
Thats very helpful tips . The problem was however different . Any I never guessed it could happen
MS has this tool called wvutil which can convert evtx to evt .But that conversion is bogus as it does not change the header info . Their tool LogParser is able to detect it becuase prob it does not care for this
info . Photorec never detects it as the Header is still EVTX and evtx support is not there
Code: Select all
pdam@pdam-lp ~
$ hexdump -C /cygdrive/d/tp/data/original.evt | head
00000000 45 6c 66 46 69 6c 65 00 00 00 00 00 00 00 00 00 |.00Elf.........|
00000010 17 00 00 00 00 00 00 00 8e 08 00 00 00 00 00 00 |................|When I take a file from Windows XP it works
Code: Select all
$ hexdump -C /cygdrive/d/tp/data/a.evt | head
00000000 45 6c 66 46 69 6c 65 00 00 00 00 00 00 00 00 00 |...LfLe.........|
00000010 17 00 00 00 00 00 00 00 8e 08 00 00 00 00 00 00 |................|Code: Select all
static const unsigned char evt_header[8]= {0x30, 0x00, 0x00, 0x00, 'L', 'f', 'L', 'e'}- The EVTX Format Contains Additional Fields in Each Log Record
Header signature changed
Streaming binary XML so we need to trim out unnecessary Data
The Microsoft Vista event log contains two new fields: The keyword field and the opcode field. These are in addition to the traditional fields first introduced in the legacy EVT file format
User Information Is No Longer Present In The User Field of Security Logs
Re: Regarding windows evt File
Hi All ,
IIRC if the format itself is chnaging as in the case of evtx would it work just by adding a custom signature .Also is there a streaming media type that it currently recovered by PhotoRec ? I was planning to base my solution on the basis of code existing already for binary stream type of format .
Thanks
Pratik
IIRC if the format itself is chnaging as in the case of evtx would it work just by adding a custom signature .Also is there a streaming media type that it currently recovered by PhotoRec ? I was planning to base my solution on the basis of code existing already for binary stream type of format .
Thanks
Pratik