Windows EventViewer Analysis | DFIR
In this article, we will show you some approaches to analyze some activity on Windows events
Last Activity View
Other tools from NirSoft can be observed and downloaded here.

Evtx analysis
Create a new filter with the type of event ID or events between a specific date.

2. After create it, click on context menu and "Save As ...".
Use a specific tool to analyze the logs.
Examples
Examples
DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI

WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA

EventID - Windows Events Search

Outlook files analysis

View .msg files (from Outlook)
LogonTracer
Installation: Usage Neo4j 4.4.26
./neo4j console
LogonTracer:
python -m venv venv
source venv/bin/activate
$ pip3 install -r LogonTracer/requirements.txt
See installation manual: https://github.com/JPCERTCC/LogonTracer/wiki/for-linux
python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost
[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
* Serving Flask app 'logontracer'
* Debug mode: off
Acess: http://localhost:8081

Now load security.evtx logs from Windows.
Import larger 'security.evtx' files and parse them before
In some cases, we need to parse evtx files because a lot of junk is imported.
I created a rust script capable of filter larger files:
Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>
Options:
-i, --input-path <INPUT_PATH> Path to the .evtx file or directory
-o, --output-file <OUTPUT_FILE> Path to the output XML file
-u, --users-file <USERS_FILE> Path to the file with the list of owned users (optional)
-s, --start-date <START_DATE> Start date for filtering logs (format: YYYY-MM-DD) (optional)
-e, --end-date <END_DATE> End date for filtering logs (format: YYYY-MM-DD) (optional)
-t, --threads <THREADS> Optional number of threads (default is system maximum) [default: 12]
-h, --help Print help
-V, --version Print version
We can use an auxiliary file with owned users (users line by line).
./evtx_to_xml --input-path evtx_folder/ --output-file output.xml -u owned_users.txt --start-date 2024-03-18 --end-date 2024-08-26
Loading owned users from: owned_users.txt
Writing matched events to output file: output.xml
Processing EVTX file: security_evtx/1-Security.evtx
Processing EVTX file: security_evtx/2-Security.evtx
Processing EVTX file: security_evtx/3-Security.evtx
Processing EVTX file: security_evtx/4-Security.evtx
Processing EVTX file: security_evtx/5-Security.evtx
Processing EVTX file: security_evtx/6-Security.evtx
(..)
Download the binary file from releases:
Dump Security EVTX files from Collectors ZIP files
import zipfile
import os
import shutil
# Lista das pastas
folders = [
"cxxxx000031/",
"Cxxxx00010CV/"
]
# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)
# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
# Localizar qualquer arquivo ZIP que comece com "Collection-"
for filename in os.listdir(folder):
if filename.startswith("Collection-") and filename.endswith(".zip"):
zip_path = os.path.join(folder, filename)
prefix = os.path.basename(os.path.normpath(folder)) # Prefixo com o nome da pasta
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
# Procurar o ficheiro Security.evtx dentro do ZIP
for file in zip_ref.namelist():
if "Security.evtx" in file:
# Extrair e renomear o ficheiro com o prefixo da pasta
output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
shutil.copyfileobj(source, target)
print(f"Extraído: {output_file_path}")
break # Parar após encontrar o Security.evtx
break # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"
Import the XML into LogonTracer
Before import the XML file, just one line needs to be updated on the logontracer.py:
Replace this: #if xml.startswith("<System>"
to:
if (xml.strip()).startswith('<System>'):):

After this change, upload the file and enjoy :)


Last updated
Was this helpful?