Recovering deleted records of Windows Event Logs

Earlier we talked about the event log Windows-files. In this article we will talk about the detection and restoration of hidden tracks of the NSA.
Part of the NSA framework cyber weapon DanderSpritz is eventlogedit, part of the software that is able to delete individual rows from the Windows event log files. Unfortunately, any criminal wishing to remove his traces on a compromised computer can use it.

Typically, the contents of the Windows event log files are useful for system administrators who troubleshoot system performance issues. One event record can alert the security team. Fox-IT reviewed the software and found a unique way to determine its use and restore deleted event log entries.
A team of researchers published a collection of software that was allegedly part of the NSA’s cyber weapons arsenal. It can be used to covertly perform various actions on hacked computers.

You can find more information about eventlogedit and leave a comment in this article.

More.