Home Software Pull EVTX Records from Unallocated Space and Memory Images with EVTXtract

Pull EVTX Records from Unallocated Space and Memory Images with EVTXtract


EVTXtract is a digital forensics tool by Willi Ballenthin capable of recovering and reconstructing fragments of EVTX log files from raw binary data, including unallocated space and memory images.

Here is some background info from Willi’s GitHub:

EVTX records are XML fragments encoded using a Microsoft-specific binary XML representation. Despite the convenient format, it is not easy to recover EVTX event log records from a corrupted file or unallocated space. This is because the complete representation of a record often depends on other records found nearby. The event log service recognizes similarities among records and refactors commonalities into “templates”. A template is a fixed structure with placeholders that reserve space for variable content. The on-disk event log record structure is a reference to a template, and a list of substitutions (the variable content the replaces a placeholder in a template). To decode a record into XML, the event log service resolves the template and replaces its placeholders with the entries of the substitution array. Therefore, template corruption renders many records unrecoverable within the local 64KB “chunk”. However, the substitution array for the remaining records may still be intact. If so, it may be possible to produce XML fragments that match the original records if the damaged template can be reconstructed. For many common events, such as process creation or account logon, empirical testing demonstrates the relevant templates remain mostly constant. In these cases, recovering event log records boils down to identifying appropriate templates found in other EVTX chunks.

The tool is available for downloading from Willi’s GitHub.

Load More Related Articles
Load More In Software


  1. 1unvarying

    December 30, 2021 at 9:49 pm


  2. u.s. justice department gay dating app

    January 2, 2022 at 1:22 pm

    gay dating apps for windows 10 https://gay-buddies.com

  3. gay random chat

    January 14, 2022 at 10:34 am

    gay chat ru=oulette https://bjsgaychatroom.info/

  4. live gay webcam chat rooms

    January 14, 2022 at 6:14 pm

    gay annonymous chat https://gaytgpost.com/

  5. cam chat gay

    January 14, 2022 at 8:01 pm

    gay and bi text chat https://gay-buddies.com/