03/07/2013

event2timeline - a Windows security event log visualization tool

event2timline has its own Github repo.

A recurring task in DFIR is to scour through hundreds of megabytes of Microsoft Windows event logs, searching for suspicious session establishments. Even with great tools such as log2timeline (or its newer version, plaso) and an unlimited amount of coffee, singling out "strange" session establishments can be a daunting task, especially on a busy server used by people from all over the world. It's like looking for a black cat in a dark basement, while blindfolded.

We had to come up with a solution that would avoid us the hassle of nitpicking through lines and lines of log entries. A tool that would take those hefty log files, extract every single session out of them, associate them to their username, and display the result on an easy-to-read timeline. That's exactly what event2timeline does.

event2timeline can parse EVTX Security log files (the ones from Windows Vista and onwards - Windows 7 and Windows 8), as well as CSV extracts from tools such as Event Log Explorer (free for personal, non-commercial use) or Microsoft's Log Parser 2.2. It parse through the logs and generate an HTML based timeline, using the D3.js Javascript visualization library. You can zoom and scroll through the timeline, and mouseover any session to get more information, such as Event ID, domain\username, source IP (if applicable), etc.

Below is a screenshot of the final result, based on demo material from the SANS Advanced computer forensic analysis incident response course.




Feel free to use event2timeline during your daily DFIR routine. Let us know of any improvements you would like to make through pull requests on github or via our Twitter account @CertSG.