SANS Digital Forensics and Incident Response Blog: Daily Archives: Feb 01, 2011

Extracting Event Logs or Other Memory Mapped Files from Memory Dumps

Since Windows Event Logs are actually mapped into the memory space of the services.exe process, it's relatively simple, now that appropriate analysis tools such as Memoryze/Auditviewer from Mandiant, or Volatility from Volatile Systems are available, to extract them from a memory dump for analysis. This can come in quite handy if the data from the HD is unavailable for some reason.

You can do this in either Volatility or in Auditviewer. I'll cover the Volatility method to start. (If you need to get and install Volatility from scratch, I recommend Jamie