Event Log Forensics with Log Parser

As a continuation of the "Introduction to Windows Forensics" series, this video introduces Log Parser. This powerful tool from Microsoft allows us to query text-based data such as log files, CSV files, XML files, and numerous other data sources including Active Directory and the Registry. In this video, we're going to look at how Log Parser can allow us to query numerous Windows EVTX event logs using SQL syntax. This allows us to scale our queries in ways not possible with Windows Event Viewer or third-party log viewers.

*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***

Introduction to Windows Forensics:
https://www.youtube.com/watch?v=VYROU-ZwZX8

Log Parser 2.2:
https://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx

Log Parser Lizard:
http://www.lizard-labs.com/log_parser_lizard.aspx

Events to Monitor:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

Log Parser Example Queries:
https://gist.github.com/exp0se/1bae653b790cf5571d20

Background Music Courtesy of Modern Vintage Gamer:
https://www.youtube.com/modernvintagegamer

*** [ EXAMPLES USED IN VIDEO ] ***

Search for a particular event ID:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'"

Search for logins grouped by user ID:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"

Search logs for a specific user:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"

Search logs for a specific IP:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"

Complex Examples Using PowerShell:
Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT -q:ON "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'" }

Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:ON -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"; cd ..; }

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics