Analyzing Windows Event Logs with EventFinder2 for Digital Forensics and Malware Analysis

By /

Listen to this Post

Ever tested an attack, certain technique, or malware in your lab and wondered exactly what Windows logs were generated? This is extremely useful when it comes to digital forensics or malware analysis.

EventFinder2

This tool lets you mark a start and end time, then extracts all event logs between those timestamps – automatically compiling them into a sorted CSV on your desktop. For example, a security analyst could use this to run malware (in a contained VM environment) and determine via logs what this malware did and in what order, which may be used to create IOCs and map TTPs.

Usage:

1. Open as Administrator.

2. Click the Start Time button.

  1. Perform whatever action you want to see events for.

4. Click the End Time button.

  1. Click Find Events (you can manually adjust timing before clicking here).
  2. Wait while the program generates a CSV of found events on the current desktop – File name will be Logs_Runtime_<datestamp>_<runtime>.

Notes:

  • This program will not read certain logs (Security, Sysmon, etc.) without Administrator privileges.
  • You may want to use Timeline Explorer to filter and read the `.csv` output file.

Download: EventFinder2 on GitHub
Tutorial Video: 13Cubed YouTube Tutorial

Practice Verified Commands and Codes:

1. Extracting Event Logs Manually (PowerShell):

Get-WinEvent -LogName Security -MaxEvents 100 | Export-Csv -Path "C:\SecurityLogs.csv"

2. Filtering Event Logs by Time Range (PowerShell):

$StartTime = (Get-Date).AddHours(-1)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$StartTime; EndTime=$EndTime} | Export-Csv -Path "C:\SystemLogs.csv"

3. Using Sysmon for Advanced Logging:

  • Install Sysmon:
    sysmon -accepteula -i sysmonconfig.xml
  • View Sysmon logs:
    Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational"

4. Analyzing CSV Output with Timeline Explorer:

  • Open the generated CSV file in Timeline Explorer for advanced filtering and analysis.

What Undercode Say:

Windows event logs are a goldmine for digital forensics and malware analysis. Tools like EventFinder2 simplify the process of extracting and analyzing logs between specific timestamps, making it easier to identify Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs). For those who prefer manual methods, PowerShell commands like `Get-WinEvent` and `Export-Csv` provide flexibility in extracting and filtering logs. Sysmon, a powerful tool from Sysinternals, enhances logging capabilities, offering deeper insights into system activities. Combining these tools with Timeline Explorer allows for efficient log analysis, enabling security analysts to reconstruct events and understand malware behavior. Always ensure you have administrative privileges when working with logs, as certain logs like Security and Sysmon require elevated access. For further learning, explore resources like the 13Cubed YouTube channel and the EventFinder2 GitHub repository. Mastering these tools and techniques is essential for anyone in the field of cybersecurity, particularly in roles involving incident response, threat hunting, and digital forensics.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: