Skip to content
EVTX parser

Posts tagged "{tag}": #anti-forensics

← Back to blog
Carving deleted EVTX records and recovering rolled-over logs
Signature carving EVTX records from unallocated space, pagefile, and memory — and the tools that handle malformed chunks gracefully when the live log is missing what you need.
evtxcarvingdfirdata-recovery
Event log clearing and the gaps that survive
How attackers clear Windows event logs, what evidence remains on disk and in forwarded channels, and the difference between wevtutil cl and thread-suspension tools like Invoke-Phant0m.
evtxanti-forensicsdfirincident-response