CTF Training
  • Introduction
  • Forensic
    • Introduction
    • KAPE Triage
      • Event Log Analysis
      • Registry Analysis
    • Memory dump analysis
  • Reverse Engineering
    • General
Powered by GitBook
On this page
  • Event logs
  • Save time
  • Hayabusa
  • Event Log Explorer
  1. Forensic
  2. KAPE Triage

Event Log Analysis

PreviousKAPE TriageNextRegistry Analysis

Last updated 10 months ago

Event logs

Records events that occur on a Windows operating system.

It's critical source of information for

  • Investigating security incidents,

  • Identifying malicious/susp activities

  • Understanding system events

Logs doesn’t lie! But it can be clear/delete by the Threat actor...

Event logs is located at C:\Windows\System32\winevt\Logs

Save time

Read and investigate the event logs from A-Z is time consuming for CTF. So, we use automate scanner such as Hayabusa to scan the event logs and parse the result.

Hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

hayabusa.exe update-rules
hayabusa.exe csv-timeline -d C:\Users\training\Desktop\C\Windows\System32\winevt\logs -p verbose -o ..\results.csv

Then open the the results.csv in Timeline Explorer

Event Log Explorer

Manually, use event log explorer to manually analyze the event logs

Please refer:

https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#windows-event-logs-analysis