Parsing Windows Event Logs, is it possible?
I am doing a little research into the feasibility of a project I have in mind. It involves doing a little forensic work on images of hard drives, and I have been looking for information on how to analyze saved windows event log files.
I do not require the ability to monitor current events, I simply want to be able to view events which have been created, and record the time and application/process which created those events. However I do not have much experience in the inner workings of the windows system specifics, and am wondering if this is possible?
The plan is to create images of a hard drive, and then do the analysis on a second machine. Ideally this would be done in either Java or Python, as they are my most proficient languages.
The main concerns I have are as follows:
Is this information encrypted in anyway?
Are there any existing API for parsing this data directly?
Is there information available regarding the format in which these logs are stored, and how does it differ from windows versions?
This must be possible from analyzing the drive itself, as ideally the installation of windows on the drive would not be running, (as it would be a mounted image on another system)
The closest thing I could find in my searches is http://www.j-interop.org/ but that seems to be aimed at remote clients. Ideally nothing would have to be installed on the imaged drive. The other solution which seemed to also pop up is th开发者_开发问答e JNI library, but that also seems to be more so in the area of monitoring a running system.
Any help at all is greatly appreciated. :)
You can use Microsoft's LogParser, a command line tool, to extract data from the event logs into CSV or various other formats. The default mode extracts from the event log on the running system, but according to the documentation you can also tell it to query against a group of EVT files. In your case, you could point it at the EVT files from the system under investigation.
Saved windows event log files are called backups. You can use JNA to open and read them. Start with this article that describes how to read event logs in Java.
EventLogIterator iter = new EventLogIterator("Application");
while(iter.hasNext()) {
EventLogRecord record = iter.next();
System.out.println(record.getRecordNumber()
+ ": Event ID: " + record.getEventId()
+ ", Event Type: " + record.getType()
+ ", Event Source: " + record.getSource());
}
精彩评论