Quick Log is a simple tool to visualize Windows logs in EVTX format, organized according to this work: https://cybersecuritynews.com/windows-event-log-analysis/ and thought for the digital forensics courses with open source tools dictated in Internet Solutions S.A.S, Bogota, Colombia. It requires Windows 10 64-bit and a resolution of 1920x1080. The logs are organized into workspaces.
You can download here .
A workspace is a "container" for logs that can hold one or more .evtx files from one or multiple machines running Windows. Before you can start viewing the logs, you need to create a new workspace or open a previously created one. By default, a newly created workspace does not contain any log files; you must add logs after creating or opening the workspace. Additional logs can always be added. A workspace can also be opened to continue reviewing logs and can be closed when necessary.
During log acquisition, Windows logs are read and the most relevant fields are stored in a SQLite database. Once the reading and storage process is complete, the original log files are no longer needed, as the database will be used instead. Each log entry is a record in the database within the logs table, and each record contains the following fields with descriptive names:
TimeCreated, UserID, EventID, Machine, Level, LogName, EventMessage, EventMessageXML, and ActivityID.
TimeCreated:
The time at which the event was created, stored in UTC. When processing the logs, the time will be adjusted to the local machine's time zone. Keep this in mind and ensure you adjust to the correct time zone by extracting it from the registry. Use the evidence's time zone to establish the actual time. For convenience, you could, for example, change the machine's time zone to match the evidence during the log processing.
UserID:
The security descriptor of the user whose context is used to publish the event. For detailed information on this topic, see here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn743661(v=ws.11)
EventID:
The identifier of the event.
Machine:
The name of the machine where this event was logged.
Level:
The level of the event. The level indicates the severity of the event.
LogName:
The name of the event log where this event is recorded.
EventMessage:
The event message in the current locale.
EventMessageXML:
XML representation of the event. All event properties are represented in the event's XML.
ActivityID:
A globally unique identifier (GUID) for the ongoing activity with which the event is associated.
The first three items are for:
-
Previewing
-
Acquiring one or more log files
-
Acquiring all .evtx files under a folder or path, allowing you to add multiple logs from various machines organized in subfolders within a parent folder, for example.
From the fourth element onward, events are categorized into areas of interest based on the work shown here https://cybersecuritynews.com/windows-event-log-analysis/ with author credits to Forward Defence.
Displays the logs based on the category selected in the Basic Filters.
You can navigate from cell to cell, and the content of each cell will be displayed in the text box as you move.
EventMessage Visualization
EventMessageXML Visualization
Displays the content of the selected cell using keyboard arrows or the mouse. It allows you to see highlighted search results and read the log contents comfortably.
The use of apostrophes is not supported in labels (next version).
Options to create, delete, and assign labels, as well as to create, update, and delete comments.
Before you can use labels, you must create them using the Label Manager.
Now, simply click on the blank cell in the "Name" column.
Select a color in the "Color" column.
And then click on "Save".
Now you can close the Label Manager window and return to it whenever you need to create or delete labels.
To apply the labels, you must select the log or logs to which you want to apply the label. Selecting logs:
Once selected, you will see it like this:
You can select multiple logs in a row by pressing Shift.
Or select at your discretion by holding down the Ctrl button., as in Windows Explorer.
Now that you have the log or logs selected, simply click on "Add Label".
You will see a window with the labels created in the Label Manager:
Simply select the label you want to apply using the same selection method as for the logs, and click on "Set Label".
Once the label is applied, it will look like this:
To add comments, select the log (just one) you want to comment on and click on "Add Comment".
Use the text box to enter the comment you need.
Make sure to click on "Save Comment".
Options to export the logs currently displayed in the log table to PDF or CSV.
Allows you to generate a filter based on the start time of one log and the end time of another, such as a user's session start and end times.
You can also create a time filter for a specific number of minutes around the time of an event. For example, if an event occurred at 14:01:31 and you use the "Minutes around" option with one minute, it will filter all events between one minute before and one minute after, i.e., between 14:00:31 and 14:02:31.
Displays operation messages
Allows granular filtering by any of the fields in each log. Remember that basic filters only display categorized events. Basic custom filters can be created that include text search options; this text will be searched in the EventMessage and EventMessageXML fields.
Filters can be applied to all fields of the logs. The search logic between different fields is an AND operation, meaning that the filter is applied as follows:
First, it must be within the time range as the primary condition, AND it must match the UserID, AND EventID, AND Machine Name, AND Level, AND LogName, AND Label, AND the search terms within either the EventMessage or EventMessageXML fields.
Search Term: Will search within the EventMessage or EventMessageXML fields and can use the logical operators AND and OR.
For example, you can search for: -1001
Or search for: -1001 AND logontype'>2<
It will find search matches whether they are AND or OR conditions within either the EventMessage or EventMessageXML fields.
The progress bar displays the progress of logs being loaded into the database as well as the processing of the logs.
Basically to process one or several (usually all) logs from one or several machines and then start searching for logs related to activities of interest, put tags and comments and finally make a timeline for example with the relevant sessions or events that were logged sorted chronologically as a timeline.
The first thing to do is to create a workspace
Afterward, add logs using the "Acquire Logs" option for one or multiple files or "Process Log Folder" to process all .evtx files within a folder. The logs will be stored in the database and classified according to the predefined categories.
Basic Filters:
At the end of the processing, you will see all the logs classified, and the users found in the logs will be displayed.
The compiled program can be run from a USB drive, external disk, or network folder without the need for installation.
