# Windows EventViewer Analysis | DFIR

In this article, we will show you some approaches to analyze some activity on Windows events

## Last Activity View

<figure><img src="/files/t1fniyCgyfTlbDB4YLsn" alt=""><figcaption><p><a href="https://www.nirsoft.net/utils/computer_activity_view.html">https://www.nirsoft.net/utils/computer_activity_view.html</a></p></figcaption></figure>

Other tools from NirSoft can be observed and downloaded [here](https://www.nirsoft.net/panel/).

<figure><img src="/files/xcEsWH4X2p8QfMwMP4QN" alt=""><figcaption></figcaption></figure>

## Evtx analysis

1. Create a new filter with the type of event ID or events between a specific date.

<figure><img src="/files/YxorDfMFPxxOlOxmx7XN" alt=""><figcaption></figcaption></figure>

&#x20; 2\. After create it, click on context menu and "Save As ...".

3. Use a specific tool to analyze the logs.

#### `Examples`

### **DeepBlueCLI**: <https://github.com/sans-blue-team/DeepBlueCLI>

<figure><img src="/files/0OudHiSsYMHWpaBgdO5q" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.socinvestigation.com/deepbluecli-powershell-module-for-threat-hunting/>" %}

### **WELA (Windows Event Log Analyzer)**: <https://github.com/Yamato-Security/WELA>

<figure><img src="/files/ttt8CJI0teg3RZBAyd8m" alt=""><figcaption></figcaption></figure>

### EventID - Windows Events Search

{% embed url="<https://system32.eventsentry.com/security/search>" %}

### [**APT-Hunter**](https://github.com/ahmedkhlief/APT-Hunter)

<figure><img src="/files/VOeRqpnEcPDki4uukCjg" alt=""><figcaption></figcaption></figure>

## Outlook files analysis

### [Stellar OST Viewer](https://www.stellarinfo.com/email-tools/ost-viewer.php)

<figure><img src="/files/39DKCfT9Hs41woGCWT5Q" alt=""><figcaption></figcaption></figure>

## View .msg files (from Outlook)

{% embed url="<https://github.com/lolo101/MsgViewer>" %}

## LogonTracer

{% embed url="<https://github.com/JPCERTCC/LogonTracer>" %}

**Installation**: Usage Neo4j 4.4.26

```
./neo4j console
```

LogonTracer:

```
python -m venv venv
source venv/bin/activate

$ pip3 install -r LogonTracer/requirements.txt
```

See installation manual: <https://github.com/JPCERTCC/LogonTracer/wiki/for-linux>

```
python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost

[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
 * Serving Flask app 'logontracer'
 * Debug mode: off

```

Acess: **<http://localhost:8081>**

<figure><img src="/files/5YHBkI4at5WNPRrR7BT4" alt=""><figcaption></figcaption></figure>

Now load security.evtx logs from Windows.

### Import larger 'security.evtx' files and parse them before&#x20;

In some cases, we need to parse evtx files because a lot of junk is imported.

I created a rust script capable of filter larger files:

```
Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>

Options:
  -i, --input-path <INPUT_PATH>    Path to the .evtx file or directory
  -o, --output-file <OUTPUT_FILE>  Path to the output XML file
  -u, --users-file <USERS_FILE>    Path to the file with the list of owned users (optional)
  -s, --start-date <START_DATE>    Start date for filtering logs (format: YYYY-MM-DD) (optional)
  -e, --end-date <END_DATE>        End date for filtering logs (format: YYYY-MM-DD) (optional)
  -t, --threads <THREADS>          Optional number of threads (default is system maximum) [default: 12]
  -h, --help                       Print help
  -V, --version                    Print version
```

We can use an auxiliary file with owned users (*users* line by line).

<pre><code>./evtx_to_xml --input-path evtx_folder/ --output-file output.xml -u owned_users.txt --start-date 2024-03-18 --end-date 2024-08-26
<strong>
</strong><strong>Loading owned users from: owned_users.txt
</strong>Writing matched events to output file: output.xml
Processing EVTX file: security_evtx/1-Security.evtx
Processing EVTX file: security_evtx/2-Security.evtx
Processing EVTX file: security_evtx/3-Security.evtx
Processing EVTX file: security_evtx/4-Security.evtx
Processing EVTX file: security_evtx/5-Security.evtx
Processing EVTX file: security_evtx/6-Security.evtx
(..)
</code></pre>

Download the binary file from releases:

{% embed url="<https://github.com/sirpedrotavares/evtx_to_xml>" %}

### Dump Security EVTX files from Collectors ZIP files

```
import zipfile
import os
import shutil

# Lista das pastas
folders = [
    "cxxxx000031/",
    "Cxxxx00010CV/"
]

# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)

# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
    # Localizar qualquer arquivo ZIP que comece com "Collection-"
    for filename in os.listdir(folder):
        if filename.startswith("Collection-") and filename.endswith(".zip"):
            zip_path = os.path.join(folder, filename)
            prefix = os.path.basename(os.path.normpath(folder))  # Prefixo com o nome da pasta

            with zipfile.ZipFile(zip_path, 'r') as zip_ref:
                # Procurar o ficheiro Security.evtx dentro do ZIP
                for file in zip_ref.namelist():
                    if "Security.evtx" in file:
                        # Extrair e renomear o ficheiro com o prefixo da pasta
                        output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
                        with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
                            shutil.copyfileobj(source, target)
                        print(f"Extraído: {output_file_path}")
                        break  # Parar após encontrar o Security.evtx
            break  # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"

```

### Import the XML into LogonTracer<br>

Before import the XML file, just one line needs to be updated on the logontracer.py:

```
Replace this: #if xml.startswith("<System>"

to:

if (xml.strip()).startswith('<System>'):):
```

<figure><img src="/files/yuWMO37SDog6VJsh5Znt" alt=""><figcaption></figcaption></figure>

After this change, upload the file and enjoy :)

<figure><img src="/files/81A2bJn46Aum5EBDRKvq" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2qZpaGC5nxu21B2NSobF" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/resources-1/windows-eventviewer-analysis-or-dfir.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.