Event Log Analysis
Event logs
Records events that occur on a Windows operating system.
It's critical source of information for
Investigating security incidents,
Identifying malicious/susp activities
Understanding system events
Logs doesn’t lie! But it can be clear/delete by the Threat actor...
Event logs is located at C:\Windows\System32\winevt\Logs
Save time
Read and investigate the event logs from A-Z is time consuming for CTF. So, we use automate scanner such as Hayabusa to scan the event logs and parse the result.
Hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Then open the the results.csv in Timeline Explorer
Event Log Explorer
Manually, use event log explorer to manually analyze the event logs
Please refer: https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#windows-event-logs-analysis
Last updated