-----Original Message----- > Also - regarding Windows logs - > Should they be archived in native .evt format? > What does law enforcement consider acceptable evidence? > I know that if data is modified in certain ways it beomes disallowed in a court of law. If you archive Windows events in evt format, you preserve UTC timestamps and the ability to use event viewer and the eventlog APIs to query the log. However, some SIDs in the log may not be able to be looked up and translated to account names, for accounts that have been deleted between log archival and log view. Event messages can be viewed in any locale. If you archive Windows events as txt, you must note the time zone of the machine. SID translation is done before conversion to txt, so SID-name translation is not an issue, except for renamed accounts. Event messages will be stored in the locale where text conversion occurred. I can't speak to the legal implications of either. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 18:09:23 PDT