View raw Windows Lo...
 
Notifications
Clear all

View raw Windows Log files

3 Posts
3 Users
0 Likes
2,127 Views
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hello,

I am investigating a Windows image with Autopsy.
I know that the raw files of the logs are in the folder c\windows\system32\config (SECURITY, SYSTEM, and so on).

I can recover the files. However, I don't know how to open them to see their contents.

¿Do you know any tool/way to do this?

Thanks in advance!

 
Posted : 13/06/2019 5:37 am
(@dandaman_24)
Posts: 172
Estimable Member
 

Have a look at this

https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape

 
Posted : 13/06/2019 5:42 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Registry transaction logs, you mean?

Check

https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html

https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files

and
https://www.forensicfocus.com/Forums/viewtopic/t=13713/

Up to 7 it made no or little sense to check those, if 8.1 and later, then they might be useful but there isn't AFAIK (yet) a suitable tool (viewer or parser).

jaclaz

 
Posted : 13/06/2019 6:10 am
Share: