Event logging in Windows Vista is quite different in terms of the way events are stored on disk and the way they are used by applications. Vista uses a new encoding of event records that lends itself to much broader flexibility for searching events. This encoding has a direct impact on forensic examination of event logs, which will be discussed in this presentation. The impact of the new application programming interface (API) is no less important. A primary role of the event log is support for debugging and tech support resolution. Such debugging information, in turn, provides significant value to forensic analysis where it indicates chronological traces of user activity. The new API offers far more dependable and detailed capabilities for monitoring. To the degree that this API motivates more pervasive debugging information, Vista event logs may provide greater capability to reconstruct timelines of user activity. During the presentation, sample Vista logs will be examined from a forensics perspective. Finally, the impact of these issues on relevant forensic tools will be explored.