Greeting everyone a prosperous New year ahead of us! This is my first post this 2018, and it's been awhile. In this post we'll know how is it possible to query on Windows event logs. This functionality will be so useful on the forensic analyst's stand point for event logs are details of events that had happened on host. In times of malware infection and comprised or user comitting fraud, it will be helpful to know and have a peek on Windows' event logs.
Sure, you can always view Window's event by launching the event viewer. Going to Start>Programs>Administrative Tools>Event Viewer , grab your preferred event type(will it be application, security,setup,system or forwarded events logs), and filter out your desired time of events to display will always keep you on track. I have done this procedure before, but this method exhausts me. It drained my energy looking for a particular event, delving through searches bit by bit, and devoured some my time on investigation. My program will reduce this hideousness, as it will trim down the events generated.
Algorithm
With the help of wmi library, I managed to solve the problem.
(1)
#user input on time in UTC
startdate = raw_input() #start time of event
enddate = raw_input #end time of event
(2)
#initialize and set wmi object
wmi_o = wmi.WMI('.')
(3)
#call out Win32_NTLogEvent and provide SQL query for data needed.
wql = ("Select * from Win32_NTLogEvent Where TimeWritten >= '%s' AND TimeWritten < '%s'" % (dtmStartDate,dtmEndDate) )
(4)
#print out desired output here...
On (1) I am still finding ways to input a regular date and perform a conversion from UTC. Windows event logs is in UTC date format.
Walkthrough
Popping out my favorite Virtual Windows OS, launching the program. We have...
In this I provided the beginning and end of the event needed to be filtered.
With this are just some of the output below.
Also saved a text file for all the logs printed as for user's need.
And that would be it! You just queried out the Window's event. This feature will be added on my Raven application, I am still working for its 2nd version.
As always, thanks for reading =)
Comments