Dorian Log Healer Technology for EVTX File Data
Event Rover for Windows NT / 2000 / XP / 2003 SEM and Log Forensics
Event Rover - Dorian Software Creations' Tool for Log File Analysis and Forensics View, Sort, and Manage Windows Event Log Files with Dorian Software
Event Rover - Windows Log File Forensics and Event Viewing by Dorian Software SEM , SIM and Security Event Management with Dorian Software
Features - Windows Event Log Viewer Download - Windows Event Log Forensics and Analysis Purchase - Windows Log File Viewing, Sorting, and Forensics with Event Rover FAQ - Windows Log Management, Analysis, and Forensic Study with Event Rover Dorian Support Center for Network Security SEM and Security Event Management Software Dorian Software - Makers of Windows Network Security and Event Log Collection, Reporting, and Monitoring Tools

Event Rover:

Effortless Event Log Sorting and Viewing

Event Rover ® changes the way network administrators view event logs - whether viewed routinely or in emergency investigatory scenarios.

Think about it: Using the same old event viewer introduces a lot of problems for log forensics work: endless scrolling, line by line scanning, cheat sheets to help translate the data . . . the list goes on and on.

Simplifies Mining of Log Data Using Tree-Views
At the heart of Event Rover's revolutionary approach to log file review is its tree-view structure. With Event Rover, accuracy is improved and the opportunities for error are minimized. Event Rover takes the guess work out of spot checking log files for security events too - all common security event identifiers have friendly descriptions paired with them throughout the application.

Exports Log Data
Basic ad-hoc reporting and data exporting are available in Event Rover right out of the box, with no additional configuration needed. HTML reports can rapidly be generated from any branch of the currently viewed tree - what you see on screen is reproduced faithfully in the report. Related groups of events can be exported to comma-delimited text for further review/import into spreadsheets, databases, or Dorian Software's Event Analyst ® program. Admins and forensic examiners can add comments to any reports they create, in order to further explain what the data represents.

Ensures Log File Integrity During Review
Event Rover provides the additional assurance that routine review or spot audits will not affect the integrity of log file stores - all review is done with a backup copy of the log file copied to the local computer. No clearing of the active, in-use log file occurs with Event Rover. If a backup of an event log yields important findings, administrators can easily add it to Event Rover's library of saved logs for further review or forensic submission.

Provides Cutting Edge EVTX Log Handling Capabilities
With version 2.5 and later, Event Rover features Dorian's exclusive LogRefiner ™ and
LogHealer ™ Technologies. This means Event Rover can now work with EVTX log files when installed on a Windows Vista ® or later operating system. And, through Dorian's LogHealer Technology, the software can even alert the administrator to a potentially corrupt EVTX file at load, allowing repairs to a copy of the file, leaving the master unchanged. The repaired copy is then loaded into Event Rover for review and analysis.

Used alone or as a companion to Dorian's Total Event Log Management Suite ™ components -
Event Alarm ®, Event Archiver ®, and Event Analyst ® - Event Rover provides a most efficient way of accomplishing what should be a simple, routine administrative task: the mining of event log data for items of interest.


Event Rover's Core Features
  • Reviews data from active event log (.EVT) files
  • Reviews data from previously saved event log (.EVT) files
  • Reviews data from Event Archiver zip-compressed event log (.EVT) files
  • Sorts event log data effortlessly into user-customizable trees of field groupings
  • Dynamically regroups event log data on the fly into different trees of field groupings
  • Summary information (log size, number of events, number of events of a specific type, user accounts found) is presented to the administrator upon log opening
  • Easily opens zipped event log (.EVT) files - whether zipped by Event Archiver or most mainstream zip utilities
  • Exports related data to comma-delimited text
  • Exports grouped log data to an HTML report, with the ability to add comments explaining the data contained within the report
  • Filters log data at load using an absolute or relative date range
  • Filters log data by other event log fields
  • Save frequently-used filters to a local database
  • Create friendly descriptions for common event identifier numbers
  • NTFS compression of Event Rover's local event logs database to maximize storage
  • Locally caches saved event log information to speed future review and allow for offsite review of saved event logs
  • Quick access for researching of event identifiers at eventlogs.com - Dorian Software's event logs resource site - as well as other valuable online resources

Now in Event Rover Version 2.5 And Later . . .

LogRefiner Technology and EVTX Compatibility

  • EVTX Log Format Support for Windows Vista, Windows Server 2008, and Beyond
    with LogRefiner Technology
    Dorian's exclusive LogRefiner ™ Technology enables Event Rover to now work with EVTX log files when installed on a Microsoft Windows Vista ® or later operating system. Copies are made of live EVTX log files from Windows Vista and Windows Server ® 2008 systems, which are then transferred locally to the machine running Event Rover for fastest processing. Previously saved EVTX log files from a local or foreign network can also be read and processed.
  • Downlevel EVT File Processing in Windows Vista and Windows Server 2008
    Dorian's exclusive LogRefiner technology can read, filter, and report on EVT files from downlevel systems directly alongside the EVTX files from Windows Vista and newer operating systems. This stands in contrast to the native event viewer that requires a format conversion before being able to seek through a downlevel EVT file.

    With Event Rover's exclusive new technology, no information goes missing when reading and displaying EVT log data – all event log fields are processed properly the first time.
  • Field Consistency Across Logs
    In the Windows Vista and Windows Server 2008 Security Log, no information about the user performing the action (or affected by the action) is recorded in the User field when an event is logged. Instead, all user information is placed in the Description of the event.

    Event Rover, however, has the ability to place the most relevant user information back into the User field as it reads and processes EVTX files. By helping maintain the consistency of log data and its formatting, this feature greatly aids the administrator or compliance officer in charge of periodically reviewing logs for critical forensic information.
  • Success Audits Versus Failure Audits Defined
    Another major change in the Windows Vista security log is that all events are recorded as “Informational.” To discern whether or not the event represents a failed or successful action, the administrator must refer to the Keyword of the event.

    But, Event Rover - when working with security EVTX Files - has the ability to properly record whether or not the event was a Success Audit or Failure Audit, greatly aiding the reviewer of log data generated from both EVT and EVTX log files.

Incident Discovery

Often, it is useful to determine if a log file contains a pattern of events. For example, multiple logon failures in a very short period of time might constitute a brute force password attack. Or, a flood of error messages from the same source within a few minutes could indicate a potential hardware or software problem.

Event Rover now allows the administrator to define and save "incidents" and look for these event patterns. Once a log is loaded into memory, an Event Rover user can elect to scan the log for any incident occurrences that match these criteria, and then review the individual events that make up each occurrence. From there, an administrator only needs to press one additional button to export those events to a CSV file or to build an HTML report of the findings.

Quick Filtering At Load

Event Rover 2.5 supports the quick filtering of logs at load by Event ID ranges. Administrators can define and save quick filters that target inclusive - and exclusive - lists of Event IDs - all by simply checking them off a predefined list complete with friendly descriptions. While quick filtering at load is fastest with the new EVTX format, quick filters also work with legacy EVT files to greatly speed load time.

Now administrators can work with auditors to build lists of events that must be reviewed, and then save those lists as a quick filter. Time and effort is greatly reduced by only loading the events you need.

LogHealer Technology and Surrogate Message File Loading Aid Forensic Analysis

In some situations, EVTX log files can experience corruption which may make them unreadable using the native event viewer. A common example is when an EVTX log file is recovered from a machine that was shutdown "dirty," as can happen during "pull the plug" investigations. Even if the traditional event viewer can read the log file, it may automatically change data structures in the recovered file at load without prompting for confirmation, leading to an unintended change in the original evidentiary log file.

Dorian Software's exclusive LogHealer ™ Technology alerts the administrator to a potentially corrupt EVTX file at load, and allows them to make repairs to a copy of the file, leaving the master unchanged. The repaired copy is then loaded into Event Rover for review and analysis.

Another new feature that is helpful to forensic examiners is the ability to specify an alternate computer for message file and metadata lookups. Both EVT and EVTX log file formats contain references to message file data that must be resolved and loaded in order to present completely parsed information. In the case of a log file that came from a foreign network, the original computer will be inaccessible for these lookups. So as an alternative, a forensic examiner can specify a different computer on the local network that matches the OS version of the machine where the recovered log file came from. Doing so will allow message file lookups to function properly.

 

 

Dorian Software Creations - Network Security Management Software

Dorian Software Creations, Inc.
Phone 678.222.3443 | Toll Free 1.866.682.3646 | Fax 413.647.8727
Email sales@doriansoft.com

|| Copyright 2001-2009 Dorian Software Creations, Inc. ||
|| For questions and comments about this site, contact the webmaster. ||

 

Event Rover is Copyright (C) 2005- 2009 Dorian Software Creations, Inc. Event Rover is a trademark or registered trademark of Dorian Software Creations, Inc. Microsoft Windows, Microsoft Windows NT, Microsoft Windows XP, Microsoft Windows 2000, and Microsoft Windows 2003 are registered trademarks of the Microsoft Corporation. All other trademarks are the trademarks of their respective companies.