Join Us!

View raw Windows Lo...
 
Notifications
Clear all

View raw Windows Log files  

  RSS
banderas20
(@banderas20)
Junior Member

Hello,

I am investigating a Windows image with Autopsy.
I know that the raw files of the logs are in the folder c\windows\system32\config (SECURITY, SYSTEM, and so on).

I can recover the files. However, I don't know how to open them to see their contents.

¿Do you know any tool/way to do this?

Thanks in advance!

Quote
Posted : 13/06/2019 6:37 am
dandaman_24
(@dandaman_24)
Active Member

Have a look at this

https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape

ReplyQuote
Posted : 13/06/2019 6:42 am
jaclaz
(@jaclaz)
Community Legend

Registry transaction logs, you mean?

Check

https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html

https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-transaction-log-files

and
https://www.forensicfocus.com/Forums/viewtopic/t=13713/

Up to 7 it made no or little sense to check those, if 8.1 and later, then they might be useful but there isn't AFAIK (yet) a suitable tool (viewer or parser).

jaclaz

ReplyQuote
Posted : 13/06/2019 7:10 am
Share: