fatcousin
// evidence type

windows evtx / security log

exported .evtx from a workstation or DC · forwarded SIEM bundle · csv from a vendor. parse auth, lateral movement, log tampering, and timeline gaps.

tools
14
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. windows event log parserdrop a .evtx file · parse Windows event log · filter by event ID · level · source · export CSV · runs locally
  2. windows event log deep divedrop EVTX · map event IDs to attack techniques · 4624 logon · 4688 process creation · 7045 service install · 4698 scheduled task · Kerberoasting · lateral movement chains · runs locally
  3. windows event log attack chain mapperdrop evtx csvs · map event ids to mitre attack techniques · reconstruct lateral movement chains · credential access · persistence · discovery · flag sequences not just individual events · runs locally
  4. windows event log gap analyzerdrop multiple evtx · merged timeline · logging gaps · clearing events · ransomware prep chains · service persistence hints · runs locally
  5. log ingestion gap and silent host detectordrop siem export or event log collector export · identify machines that stopped sending logs · calculate expected vs actual log volume per host · detect hosts that went dark · flag suspicious silences · runs locally
  6. log file authenticity and integrity scorerdrop any log file · verify internal consistency · line endings · timestamps · detect log injection · fabrication indicators · authenticity score · runs locally
  7. incident timeline builderdrop multiple CSVs with timestamps from any forensic tool · merge into unified chronological timeline · entity tagging · filter by source · export full timeline · runs locally
  8. unified login session reconstructordrop 4624 evtx · rdp logs · vpn logs · ssh logs · browser cookie databases · srum csv · build one unified session per user per day across all authentication sources · identify gaps · flag impossible sessions · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. PowerShell history clearing detectordrop powershell operational evtx csv or psreadline history file · detect cleared powershell command history · identify gaps in command execution record · surface anti-forensic powershell history manipulation · runs locally
  2. psreadline history gap and anomaly analyzerpaste or drop psreadline consolehost_history txt · detect gaps in command history · identify suspicious command sequences · surface anti-forensic commands · reconstruct powershell session timeline · runs locally
  3. LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
  4. windows scheduled task analyzerdrop task scheduler xml · triggers · actions · principals · suspicion score · encoded powershell decode · persistence hints · runs locally
  5. token manipulation artifact analyzerdrop security evtx csv · detect token impersonation and privilege events · 4624 type 2/3 anomalies · special privileges assigned · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready