Security Software features log management for network forensics.

Press Release Summary:

Event Rover v2.5 incorporates LogRefiner Technology that can read, filter, and report on EVT files from downlevel systems alongside EVTX files from Windows Vista and other OSs. Copies are made of live EVTX log files, which are transferred to host machine, and target events can be labeled as success or failure audits. LogHealer(TM) Technology alerts user of corrupt files. Administrators can define/save incidents and search for patterns, finding event occurrences that match criteria for review.

Original Press Release:

Dorian Software Launches Event Rover 2.5 with Groundbreaking LogHealer Technology

New Wave of Technology Assists in EVTX Log File Management and Forensics

ATLANTA, July 23 / / - The EVTX log format - already more than two years old now - is still offering surprises for many in their log management and forensics efforts. Meanwhile, the needs of IT organizations looking to manage massive amounts of log data and juggle compliance strategies are only getting more complex.

IT security professionals are finding a number of problems with the EVTX format, not least of which is how existing log management strategies reconcile the introduction of an entirely new format with log collection, mining, and reporting processes.

Since 2007, Dorian Software Creations, Inc. has been addressing the EVTX issue with its exclusive LogRefiner(TM) Technology. This week, Dorian announced a new release of its log mining and incident discovery tool, Event Rover ( The release marks the completion of LogRefiner Technology rollout across the four titles that comprise its Total Event Log Management Suite(TM).

"With this new release, Dorian confirms its position as a pioneer both in traditional log management and in unraveling the complications of the EVTX log format," said Robert A. Milford, Chief Software Architect for Dorian Software Creations, Inc. "As we look around at other players in the log management market, we don't see any that are as proactive in addressing the EVTX log format.

"We at Dorian realize that log management vendors cannot afford to ignore this important shift both in the technology and the market," Milford continues. "That's why each new Dorian release provides new technology that our customers can put to work immediately."

As has become customary since 2007, this latest log software release from Dorian includes features that are aimed at both the EVTX and legacy EVT format:

LogRefiner Technology and EVTX Compatibility

Dorian's exclusive LogRefiner Technology enables Event Rover to now work with EVTX log files when installed on a Microsoft Windows Vista or later operating system. Copies are made of live EVTX log files from Windows Vista and Windows Server 2008 systems, which are then transferred locally to the machine running Event Rover for fastest processing. Previously saved EVTX log files from a local or foreign network can also be read and processed.

Downlevel EVT File Processing in Windows Vista and Windows Server 2008 - Dorian's exclusive LogRefiner Technology can read, filter, and report on EVT files from downlevel systems directly alongside the EVTX files from Windows Vista and newer operating systems. This stands in contrast to the native event viewer that requires a format conversion before being able to seek through a downlevel EVT file.

With Event Rover's exclusive new technology, no information goes missing when reading and displaying EVT log data - all event log fields are processed properly the first time.

Field Consistency Across Logs - In the Windows Vista and Windows Server 2008 Security Log, no information about the user performing the action (or affected by the action) is recorded in the User field when an event is logged. Instead, all user information is placed in the Description of the event.

Event Rover, however, has the ability to place the most relevant user information back into the User field as it reads and processes EVTX files. By helping maintain the consistency of log data and its formatting, this feature greatly aids the administrator or compliance officer in charge of periodically reviewing logs for critical forensic information.

Success Audits Versus Failure Audits Defined - Another major change in the Windows Vista Security Log is that all events are recorded as "Informational." To discern whether or not the event represents a failed or successful action, the administrator must refer to the Keyword of the event.

But, Event Rover - when working with security EVTX Files - has the ability to properly record whether or not the event was a Success Audit or Failure Audit, greatly aiding the reviewer of log data generated from both EVT and EVTX log files.

LogHealer Technology and Surrogate Message File Loading Aid Forensic Analysis

One nasty surprise for many is the way in which the traditional event viewer tool handles corrupt EVTX log files.

In some situations, EVTX log files can experience corruption which may make them unreadable using the native event viewer. A common example is when an EVTX log file is recovered from a machine that was shutdown "dirty," as can happen during "pull the plug" investigations. Even if the event viewer can read the log file, it may automatically change data structures in the recovered file at load without prompting for confirmation, leading to an unintended change in the original evidentiary log file.

Dorian Software's exclusive LogHealer(TM) Technology alerts the administrator to a potentially corrupt EVTX file at load, and allows them to make repairs to a copy of the file, leaving the master unchanged. The repaired copy is then loaded into Event Rover for review and analysis.

Another new feature that is helpful to forensic examiners is the ability to specify an alternate computer for message file and metadata lookups. Both EVT and EVTX log file formats contain references to message file data that must be resolved and loaded in order to present completely parsed information. In the case of a log file that came from a foreign network, the original computer will be inaccessible for these lookups. So as an alternative, a forensic examiner can specify a different computer on the local network that matches the OS version of the machine where the recovered log file came from. Doing so will allow message file lookups to function properly.

Incident Discovery

Often, it is useful to determine if a log file contains a pattern of events. For example, multiple logon failures in a very short period of time might constitute a brute force password attack. Or, a flood of error messages from the same source within a few minutes could indicate a potential hardware or software problem.

Event Rover now allows the administrator to define and save "incidents" and look for these event patterns. Once a log is loaded into memory, an Event Rover user can elect to scan the log for any incident occurrences that match these criteria, and then review the individual events that make up each occurrence. From there, an administrator only needs to press one additional button to export those events to a CSV file or to build an HTML report of the findings.

Quick Filtering At Load

Event Rover 2.5 supports the quick filtering of logs at load by Event ID ranges. Administrators can define and save quick filters that target inclusive - and exclusive - lists of Event IDs - all by simply checking them off a predefined list complete with friendly descriptions. While quick filtering at load is fastest with the new EVTX format, quick filters also work with legacy EVT files to greatly speed load time.

Now administrators can work with auditors to build lists of events that must be reviewed, and then save those lists as a quick filter. Time and effort is greatly reduced by only loading necessary event entries.

For more information on Dorian's LogHealer Technology and the recovery of corrupt EVTX log files, a free white paper is available for download at

Dorian Software Creations, Inc. also provides white papers at no charge to aid with compliance-driven implementations of its log management software, as well as the challenge of the new EVTX logging format. For more information, visit and respectively.

For more information on Dorian Software and its patented Total Event Log Management Solution, visit Dorian Software can also be contacted by phone at 1-866-682-3646 in North America.

Copyright 2001-2009 Dorian Software Creations, Inc. Active Directory, Microsoft, Microsoft Windows, Windows Server, and Windows Vista are trademarks or registered trademarks of the Microsoft Corporation. All other trademarks are the trademarks of their respective companies.

Source: Dorian Software Creations, Inc.

CONTACT: Matthew White of Dorian Software Creations, Inc.,

Web Site:

More from Test & Measurement

All Topics