# Event Log Analysis

## Event logs

Records events that occur on a Windows operating system.

It's critical source of information for 

* Investigating security incidents, 
* Identifying malicious/susp activities
* Understanding system events

Logs doesn’t lie! But it can be clear/delete by the Threat actor...

Event logs is located at C:\Windows\System32\winevt\Logs

## Save time

Read and investigate the event logs from A-Z is time consuming for CTF. So, we use automate scanner such as Hayabusa to scan the event logs and parse the result.

## Hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

```powershell
hayabusa.exe update-rules
hayabusa.exe csv-timeline -d C:\Users\training\Desktop\C\Windows\System32\winevt\logs -p verbose -o ..\results.csv
```

<figure><img src="https://665104163-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrgnT6YaXl0rwqp4CAxuD%2Fuploads%2F2b5Zjdr9oNBWYO0bfSaN%2Fimage.png?alt=media&#x26;token=785d2e67-021e-4d6f-87fe-a4a57665b610" alt=""><figcaption></figcaption></figure>

Then open the the *results.csv* in Timeline Explorer

<figure><img src="https://665104163-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrgnT6YaXl0rwqp4CAxuD%2Fuploads%2FltFDRGPmIoAnEfy4hVd5%2Fimage.png?alt=media&#x26;token=7eb1e596-fa76-4316-aece-395d70710b64" alt=""><figcaption></figcaption></figure>

## Event Log Explorer

Manually, use event log explorer to manually analyze the event logs

Please refer: <https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#windows-event-logs-analysis>