joachimmetz
commented
6 years ago Is the record data still in the file?
Closed joachimmetz closed 6 years ago
joachimmetz
commented
6 years ago Is the record data still in the file?
ShaneKent
commented
6 years ago We're not sure. If it's not still in the file then it makes sense that there is no way to bring it back. But if it still is in the file, would the "get recovered records" functionality recover those?
joachimmetz
commented
6 years ago recovered records in libevtx are those stored outside the allocated chunk data.
There is some minimal checking to see if the event record is recoverable: https://github.com/libyal/libevtx/blob/5b4152158b0e0ddf7f1df1b80aa0c5cb477da21a/libevtx/libevtx_chunk.c#L899
If the signature does not match the record will be ignored.
If the data is no longer in the file, then there is nothing to recover.
ShaneKent
commented
6 years ago Thanks for helping me to understand this. You've definitely cleared this all up.
joachimmetz
commented
6 years ago Good to know, closing this issue then
From: https://github.com/libyal/libevtx/issues/2 by @ShaneKent
Hello! Firstly, thank you for all of the hard work that you've put into this library. My team and I have found an immense amount of usefulness in what you've created.
That being said, do you have any information on the possibility of recovering records that were effectively "cleared." We have an event log file that was cleared via the Windows EventViewer and we're trying to see if there is a way to recover these deleted records.
Any suggestions or ideas? We're not even sure that it's possible...