Event Logs- User Login Date/Time

There are a number of options it depends on what needs you have. The obvious answer is MS Log Parser. Adding the very handy Lizard GUI is a plus.

Some other tools to look into Mandiant Highlighter, Event Log Explorer™, Windows Event Log Viewer.

Thanks, I was just using the EnCase Case Processor…once I get the logs…how do I read the log files and determine when the log on/offs occurred?

You open the log in your tool of choice and look at the EventIDs that correspond to the event you are auditing.

What is the best way to examine event logs and determine date and times of Windows user logins? I don't have much experience with examining event logs. Thanks.

What version of Windows are these event logs from?

Before you start digging into the Security log, it would be helpful to check if the events you're interested in are even being audited. If they are, you should also check to see if the date range of the event log covers the particular time you're looking for. Taking care of these two things first can save you quite a bit of time and indicate that there may not be much in the event logs that you would even help you (or direct you to find previous versions of event logs that may exist).

It's Windows Vista Home Edition

Okay, so you should be working with EVTX files. I wrote a simple batch script to pull the date range from EVTX files that you can use to make sure the event log covers the time you're looking for; check out my blog if you're interested. You should also take a look at the Ultimate Windows Security website; there's a lot of material there that should help. It has a search feature that you can use to look up specific event IDs as well. You didn't mention the type of logon activity you're looking for (local or remote), so you'll need to do some research to find the corresponding Event IDs.

There are a few different tools you could use for parsing. One option is to use Log Parser to export the event log to a CSV file, which you could then easily open in Excel for filtering, etc..

Also
http//www.cpan.org/modules/by-authors/id/H/HC/HCARVEY/
http//www.tzworks.net/prototype_page.php?proto_id=4
And Nirsoft Myeventviewer
http//www.nirsoft.net/utils/my_event_viewer.html
(export as HTML/Text/XML file)

Check this if you have problems with the "dirty" bit
http//reboot.pro/9461/#entry86619

jaclaz

If you are wanting to validate the logon/logoff times in the event logs, one of things to consider is checking the record numbers in the event log to ensure that they are not out of sequence with the timestamps, which might indicate a clock change. If utilizing log parser you would want to include Select RecordNumber.

I use event log explorer by FDPro to view any windows event logs. The tools allows a user to merge event logs into one. For me this is helpful to give an overview of what is taking place. I would suggest trying it.

http//www.eventlogxp.com/

If you are able to borrow the book from a library or plan on doing a lot of event log investigations. I would suggest getting this book by Chad Steel - Windows Forensics The Field Guide for Conducting Corporate Computer Investigations. The book has a section just on log file analysis that has proven very helpful to me.