qjerome
commented
1 year ago Hey @CaledoniaProject,
Sorry for this late reply ... The carving mode is used to retrieve EVTX logs entries in unusual places like (memory dumps, disk images ...). In this mode, we search only for things looking like EVTX chunks and trying to parse it, we do not care about all the EVTX file format.
CaledoniaProject
What exactly does ModeCarving do? Can you explain on that?