libevtx_file_get_recovered_record fail

[pbrunet]

Hi,

As I try to use the libevtx to extract some log information, I successfully get the number of recovered_record but calling libevtx_file_get_recovered_record may fail. For now, I have three files and only one give correct information on this call, others return error : libevtx_file_get_recovered_record: unable to retrieve record values: 7. Can you help me with this and say to me what may be the issue?

Also, I wonder what is the difference between record and recovered_record.

Best regards, Pierrick

[joachimmetz]

Also, I wonder what is the difference between record and recovered_record.

There is not much to it, a "recovered record" is a record that was recovered from the data and not a record that could be accessed via the "regular" structure. Recovery is used to handle corrupted files or remnants of earlier times.

calling libevtx_file_get_recovered_record may fail.

This the intended behaviour. The recovery process looks for basic record structures but does not validate the binary XML (too costly). The call to this function will try to read the binary data and can fail.

[pbrunet]

Ok, thanks for this information, I will just handle this fail as a possible normal behavior.

And thanks for your work on this lib !!

[ShaneKent]

Hello! Firstly, thank you for all of the hard work that you've put into this library. My team and I have found an immense amount of usefulness in what you've created.

That being said, do you have any information on the possibility of recovering records that were effectively "cleared." We have an event log file that was cleared via the Windows EventViewer and we're trying to see if there is a way to recover these deleted records.

Any suggestions or ideas? We're not even sure that it's possible...

[joachimmetz]

Please do not hijack closed issues. I've moved this to: https://github.com/libyal/libevtx/issues/13