Event Log Analysis

Event logs

Records events that occur on a Windows operating system.

It's critical source of information for

• Investigating security incidents,

• Identifying malicious/susp activities

• Understanding system events

Logs doesn’t lie! But it can be clear/delete by the Threat actor...

Event logs is located at C:\Windows\System32\winevt\Logs

Save time

Read and investigate the event logs from A-Z is time consuming for CTF. So, we use automate scanner such as Hayabusa to scan the event logs and parse the result.

Hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

hayabusa.exe update-rules
hayabusa.exe csv-timeline -d C:\Users\training\Desktop\C\Windows\System32\winevt\logs -p verbose -o ..\results.csv

Then open the the results.csv in Timeline Explorer

Event Log Explorer

Manually, use event log explorer to manually analyze the event logs

Please refer: https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#windows-event-logs-analysis