Windows EventViewer Analysis | DFIR

In this article, we will show you some approaches to analyze some activity on Windows events.
​
Last Activity View
​https://www.nirsoft.net/utils/computer_activity_view.html​
​
Other tools from NirSoft can be observed and downloaded here.
Evtx analysis
1.Create a new filter with the type of event ID or events between a specific date.
  2. After create it, click on context menu and "Save As ...".
3.Use a specific tool to analyze the logs.
Examples
DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI​
DeepBlueCLI – PowerShell Module for Threat Hunting - Security Investigation
Security Investigation - Be the first to investigate
WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA​
​APT-Hunter​
​
Outlook files analysis
​Stellar OST Viewer​

Resources

Prevent Windows shutdown after license expire

Last modified 1mo ago

Windows EventViewer Analysis | DFIR

Last Activity View

Evtx analysis

Examples

DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI​

WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA​

​APT-Hunter​

Outlook files analysis

​Stellar OST Viewer​

`Examples`

DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI

WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA

APT-Hunter

Stellar OST Viewer