SYSTEM AND METHOD FOR RECOVERY OF DELETED EVENT LOG FILES

摘要

The present invention relates to a system and a method for recovering deleted event log files in the case of EVTX (Windows XML Event Log) file deletion, in which an EVTX file is used as an event log system after Windows Vista among OSs provided by Microsoft. The system for recovering the deleted event log files includes: a file search unit for searching for an EVTX file header from a storage; a chunk search unit for searching for a chunk header related to the EVTX file header from the storage; a verifying unit for verifying completeness of an EVTX file through checking correspondence of a CRC32 in the EVTX file header, and correspondence of number of all chunks searched by the chunk search unit with a Num of Chunk in the EVTX file header; and a file recovery unit for extracting the EVTX file header and the related all chunks verified to be complete by the verifying unit, and recovering the EVTX file header and the every related all chunks as a file.