Labels
Labels:

Windows Event Log Parser

Event Log Forensics- Log parser
Note; For a useful video on this, please see 13cubed, whose video I followed to make this post
What is Log Parser?
Log parser is a tool which allows users to view event logs. Viewing these allows the investigator to identify
important details, such as repeated log-in failures.
Cons of using Log Parser:
It is very similar to SQL, and as such can be difficult to use and understand.
Solution:
This link is a list of all the queries, ready to be copy and pasted.
Finding the event logs
Focus in Security events, which can be found in
%SystemRoot%\System32\winevt\Logs\Security.evtx on Windows 10 systems
So, by using FTK IMGUR to create a physical image of our computer, we can extract the file. Alternatively,
We can use a file from a case. I used the one from CFReds Data leakage case.
Next, we download logparser2.2 from Microsoft
https://www.microsoft.com/en-gb/download/details.aspx?id=24659
To start off with, we use the command:
E:\Forensics Self-development\Sec>"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe"
-stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'"
This is saying, using the log parser executable, without showing extra stats and using only EVT(X) files,
select data from the file security.evtx where the event ID is 4624
Notice how I am in the Sec directory? This is where my event log resides
4624 is the successful log on id
The result will look like this.
Useful, but messy.
So changing the command to
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT -q:on "SELECT *
FROM 'Security.evtx' WHERE EventID = '4624'" >out.csv
This tells the command prompt to enable quiet mode, meaning clearer results.
These will be printed as an excel document.
Pro tip: rather than click, we use “start .” as a command afterwards to open the file location
Opening the Excel, we see it is still rather messy:
So, we highlight column A, head over to the data tab, select Text to columns, tick delimited and
then do the following:




Here, we see that there was a successful login at these times, on the machine, INFORMANT-PC$
What else can we do?
It Is essentially unlimited, hence why there is a list of queries.
Search for user logins
number of logins for any username on system
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT
"SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM
'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON';
'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username
ORDER BY CNT DESC"

Selecting the tokens, which correspond to location in event log for the fields,
Performing a count, for event id 4624, excluding anonymous, local service etc
This is then ordered by count descending
This was the result
But what about for a specific user?
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS
Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain,
EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage,
EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,
EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND
Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') A
ND Domain NOT IN ('NT AUTHORITY') AND Username = 'informant'"
IT is important to understand that we are specifying the different fields for the user Administrator. I had
changed to informant, hence the username coming as informant.

Comments

Post a Comment