Extracting Event Logs

When event logs are analyzed, the most common approach is to export logs and then review them on the forensics workstation. There are a few reasons for such an approach. Often, we need to analyze a few event logs (for example, System, Security, and Application) from several workstations and Domain Controller. So, it is very convenient to have all event log files in one place. Also, many forensics tools not enough good work with event logs.

There are two main approaches to export event logs:

Live systems
Offline systems

Both of them have their own set of features; let's see what they are.

Live systems

While working with live systems, remember that event log files are always used, which creates some additional challenges. One way ...

Get Practical Windows Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Windows Forensics by Ayman Shaaban, Konstantin Sapronov

Extracting Event Logs

Live systems

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly