EVTX Flat Storage Optimization

When we try to play with several machines, Sysmon and WECs (Windows Event Collectors) we quickly see the amount of logs growing. Knowing quite good the EVTX file format we realized that no compression is builtin. In order to optimize the storage of the events collected, we decided to run basic compression tests that we are going to describe here. more ...

Carving EVTX

Windows OSĀ uses a specific file format in order to store the logs generated by the different programs running on the system. One can usually find those logs at path C:\Windows\System32\winevt\Logs. According to the settings of your OS you can find a bunch of useful information that you may want to recover under some circumstances. more ...