Hi guys, Welcome to the Advanced Video Search Engine, and you are watching Event Log Forensics with Log Parser. That video is uploaded by 13Cubed at 2018-04-30T04:23:52-07:00. We are promoting this video only for entertainment and educational purpose only. So, I hope you like & enjoy it. [mCfkFO0xs34]
| Name | Event Log Forensics with Log Parser |
| Video Uploader | Video From 13Cubed |
| Upload Date | This Video Uploaded At 30-04-2018 11:23:52 |
| Video Discription | As a continuation of the "Introduction to Windows Forensics" series, this video introduces Log Parser. This powerful tool from Microsoft allows us to query text-based data such as log files, CSV files, XML files, and numerous other data sources including Active Directory and the Registry. In this video, we're going to look at how Log Parser can allow us to query numerous Windows EVTX event logs using SQL syntax. This allows us to scale our queries in ways not possible with Windows Event Viewer or third-party log viewers. *** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. *** Introduction to Windows Forensics: https://www.youtube.com/watch?v=VYROU-ZwZX8 Log Parser 2.2: https://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx Log Parser Lizard: http://www.lizard-labs.com/log_parser_lizard.aspx Events to Monitor: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor Log Parser Example Queries: https://gist.github.com/exp0se/1bae653b790cf5571d20 Background Music Courtesy of Modern Vintage Gamer: https://www.youtube.com/modernvintagegamer *** [ EXAMPLES USED IN VIDEO ] *** Search for a particular event ID: "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'" Search for logins grouped by user ID: "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC" Search logs for a specific user: "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'" Search logs for a specific IP: "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'" Complex Examples Using PowerShell: Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT -q:ON "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'" } Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:ON -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"; cd ..; } #Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics mCfkFO0xs34 |
| Category | Science & Technology |
| Tags | forensics | digital forensics | DFIR | Log Parser | Log Parser tutorial | Log Parser 2.2 | Logparser | Log Parser Toolkit | Log Parser GUI | Logparser GUI | Log Parser Lizard | Windows Event Viewer | Event Viewer | Event Log Explorer | EVT parser | EVTX parser | EVT forensics | EVTX forensics | Windows event log parser | event log parser | SQL query | Windows Event ID | Windows Event IDs | PowerShell Log Parser | PowerShell Logparser | forensic log parsing | forensic log analysis |
