Event Logs

GitHub - stuhli/awesome-event-ids: Collection of Event ID ressources useful for Digital Forensics and Incident ResponseGitHub

Windows Baseline LoggingØSecurity

13cubed

What Is?

Forensic Value:

File Location:

• C:\Windows\System32\winevt\logs

Offline System

Live System

Parse Data:

Offline:

#Parse directory of logs and output to CSV
EvtxECmd.exe -d "F:\INVESTIGATE\Defender Cases\c151-lockbit\c151-LockBit\Triage Images\DC01\Windows\System32\winevt\logs" --csv "F:\INVESTIGATE\Defender Cases\c151-lockbit\c151-LockBit\Triage Images\DC01\Windows\System32\winevt\logs" --csvf EventLogsTimeline.csv

Live PowerShell Cheatsheet

##List available EventIDs within log source
(Get-WinEvent -ListProvider Microsoft-Windows-TaskScheduler).Events | Format-Table Id, Description

##Display logs in log source
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message

Considerations:

Example:

Analysis Tips:

Anti-Forensics: