For my forensic needs I am definitely sticking with Linux as a platform. Besides great TSK toolset, I can use foremost
for data carving ( extraction ). BTW, I read that foremost is now available on windows as well.
I had an image from a windows XP machine which was badly damaged and could not be mounted. I needed to recover event logs ( the *evt files ) from it. Since the logs are binary, and Unicode or ASCII search would have not turned up anything, I used foremost tool on Linux.
The hex signature of the evt file is :
\x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00
Knowing this, I have constructed a formost config file notifying the tool of how exactly I wanted the data carved. With the following configuration in the /usr/local/etc/foremost.conf.evt config file:
evt y 512000 \x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00
the tool will search for a signature and recover at most 512000 bytes, which should be enough to read evt with some custom python script or use fccu.evtreader.pl ( www.d-fence.be ).
So, the recovery goes like that:
1. Construct recovery command for foremost:
$ foremost -v -T -c /usr/local/etc/foremost.conf.evt -t all -i /z/image.dd
This will extract a binary evt file ( like 00000000.evt ) from the image.dd
2. Run
$ fccu.evtreader.pl 00000000.evt
and get ascii lines back for further processing.
