3.2 - Extracting and analysing Eventlogs

3.2 - Extracting and analysing Eventlogs #

Obtain the EventLog Files &/or Directory with FTK Imager. #

Parsing the EventLogs with EZTools – EvtxECmd.exe. #

  • I’m going to create the csv file with EZTools and then import the data Timeline Explorer.
PS F:\EZTools\Get-ZimmermanTools\EvtxECmd> .\EvtxECmd.exe -f F:\MUS2019CTF\Exported\EventLogs\System.evtx --csv "F:\MUS2019CTF\" --csvf system_evtlogs.csv

1. Which User Shutdown Windows on February 25th 2019? #

You can find this by Google: Event ID 1074: Logged when an app (such as Windows Update) causes the system to restart, or when a user initiates a restart or shutdown. Where do we find these EventLogs on the Windows system?

  • We’ll find that EventID in the SYSTEM EventLog.
  • Filter on 1074 event ID and payloadData3 column for “Type: power off”

Flag: Administrator

Using Autopsy to collect and analyse EventLogs. #

  • Go back to Autopsy and run another ingest module on the evidence.
  • Deselect all and then choose “ParseEvtx”. Select SYSTEM from the right hand side.
  • When the module has finished running the results will show under Data Artifacts > Windows Event Logs
  • Sort by Event Identifier and find 1074