Guest Blogger: Vamsi Krishna Chinta  

Understanding raw log locations in Windows and efficiently extracting and structuring them is crucial for forensic investigations and incident response. Eric Zimmerman’s tools provide a powerful way to process these logs, making them more accessible and actionable.

Where to Find Raw Logs in Windows

Windows logs are stored in various locations depending on the type of data they contain. Here are the key locations:

Windows Event Logs (EVTX)

• Location: C:\Windows\System32\winevt\Logs\
• Description: These logs capture system, security, application, and other critical events.
• Key Logs:
  • Security.evtx (Security-related events like logins, policy changes)
  • System.evtx (System-level events like driver failures, shutdowns)
  • Application.evtx (Application-specific logs)
  • Microsoft-Windows-Sysmon/Operational.evtx (Detailed process creation, network connections, registry changes)
    

 Registry Hives

• Location:
  • C:\Windows\System32\config\ (System-wide hives: SYSTEM, SOFTWARE, SAM, SECURITY)
  • C:\Users\<USERNAME>\NTUSER.DAT (User-specific settings)
• Description: Stores configuration, user activity, and system settings.

 Prefetch Files

• Location: C:\Windows\Prefetch\
• Description: Contains execution history of applications, useful for timeline analysis.

Amcache & Shimcache

Location:

• C:\Windows\AppCompat\Programs\Amcache.hve
• System Registry Hive -> SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
• Description: Records file executions and metadata for forensic analysis.

 $MFT (Master File Table)

• Location: C:\$MFT (Requires special tools to extract)
• Description: Tracks all file system changes, including creation, deletion, and modification timestamps.

 User Activities (Jump Lists, LNK Files, Recent Files)

• Location:
  • C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\
  • C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
  • C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\
• Description: Helps in tracking user activities and recently accessed files.

While EVTX logs provide structured event records, forensic investigations often require correlating additional artifacts like Registry hives, Prefetch files, and JumpLists. These artifacts help validate log-based findings by revealing execution history, persistence mechanisms, and user interactions, providing a more complete picture of system activity.

Windows Event Logs (EVTX): Real time Analysis

Eric Zimmerman’s tools, known as EZ Tools, are a suite of open-source utilities used in Digital Forensics and Incident Response (DFIR). They help analyze digital evidence by parsing Windows artifacts like event logs and registry data, providing scalable and repeatable methods for investigations. Key tools include Timeline Explorer, Registry Explorer, and EvtxECmd, which facilitate detailed analysis of system activities and changes.

The command EvtxECmd.exe -d “C:\Windows\System32\winevt\Logs” –csv “D:\work\Logs” is used to parse Windows Event Logs (EVTX files) into CSV format. Here’s what it does:

1. Parses EVTX Files: Processes all event logs in C:\Windows\System32\winevt\Logs.
2. Outputs Results: Saves the parsed data as CSV files in D:\work\Logs.

This command is useful for forensic analysis, allowing you to easily review system events like logons or service installations in a structured format.

Timeline Explorer is a free tool by Eric Zimmerman for digital forensics and incident response. It helps visualize chronological data, allowing users to filter and analyze events like Windows logs. Key features include data visualization, filtering, and customization, making it useful for forensic investigations and detecting system activities. 

Timeline Explorer, part of Eric Zimmerman’s toolkit, offers a structured view of CSV data, particularly useful for investigating Windows event logs. Here’s how to use it effectively:

1. Open your CSV file in Timeline Explorer.
2. Use the search panel to look for specific terms or Event IDs.
3. Customize your view by dragging and dropping columns of interest.

For example, to investigate new service installations:

1. Search for Event ID 7045, which indeed corresponds to service creation events.
2. Arrange columns such as Event ID, Map Description, Payload Data, and Execution Info.

This setup allows you to quickly identify:

• What service was created
• Who provided the service
• Execution details of the service

By using this method, you can efficiently analyze service creation events and gain valuable insights into system activities. 

In conclusion, understanding and effectively analyzing Windows logs is crucial for forensic investigations and incident response. By knowing where to find raw logs and using tools like Eric Zimmerman’s to extract and structure them, investigators can uncover valuable insights into system activities and user behavior. This approach enhances the ability to track security events, system changes, and user actions, ultimately aiding in resolving cybersecurity incidents and maintaining system integrity.