LfLe

You can recover event log entries from an image by heuristically searching for record structures. Dependencies: argparse (http://pypi.python.org/pypi/argparse, available via easy_install or pip). Usage: This tool allows you to extract event log messages from an image file by identifying elements that seem to be records.

Next, input the generated file into an event log viewer, such as Event Log Explorer (http://www.eventlogxp.com/, and remember to use 'direct' mode when opening). Sample Output: evt/LfLe - [master●] » python lfle.py '/media/truecrypt2/VM/Windows XP Professional - Service Pack 3 - TEMPLATE/Windows XP Professional - Service Pack 3-cl1.vmdk' recovered.evt 100% complete. % done. Wrote 5413 records. Skipped 48 records that had a length greater than 0x10000. Skipped 12.