Windows Event Log (.evtx) Parsing

Overview
Features
- Core Capabilities
- Extracted Event Fields
Usage
Command-Line Options
- Event Log Parsing Flags
Output Formats
Key Security Events
Forensic Analysis Workflows
Integration with Other Features
Platform Support
- Windows
- Linux/macOS
File Detection
Performance Considerations
Limitations
Security Considerations
Troubleshooting
Best Practices
Examples
Future Enhancements
References
See Also

This document describes the Windows Event Log (.evtx) parsing feature in sus, which provides comprehensive parsing of Windows Event Logs with filtering capabilities and extraction of key forensic events.

Overview

The Event Log Parser enables forensic analysts to:

Parse Windows Event Log (.evtx) files
Filter events by Event ID, source, and level
Extract key security events (logon/logoff, account changes, etc.)
Generate event summary reports
Export parsed events to CSV or JSON format

This feature is inspired by KAPE's event log processing capabilities and integrates seamlessly with sus's forensic workflow including artifact collection, timeline generation, and system snapshots.

Features

Core Capabilities

Comprehensive Event Extraction: Parse all events from .evtx files
Flexible Filtering: Filter by Event ID, source, and severity level
Security Event Detection: Automatically identify forensically significant events
Multiple Output Formats: Export to CSV (timeline-friendly) or JSON (structured)
Summary Reports: Generate statistical summaries of parsed events
Cross-Platform: Works on Linux, macOS, and Windows for offline analysis

Extracted Event Fields

Each parsed event includes:

Timestamp (ISO 8601 format)
Event ID
Level (Critical, Error, Warning, Information, Verbose)
Source/Provider name
Computer name
User SID (if available)
Channel
Event data (structured XML/JSON)
Record ID
Process ID and Thread ID
Keywords, Task, and Opcode

Usage

Basic Event Log Parsing

# Parse all .evtx files found during analysis
sus /evidence --parse-evtx

# Forensic investigation with event log parsing
sus /evidence --target KAPE_Triage --parse-evtx --collect

Filtering Events

# Filter by specific Event IDs (logon events)
sus /evidence --parse-evtx --evtx-event-ids 4624,4625,4634

# Filter by event level
sus /evidence --parse-evtx --evtx-levels Critical,Error,Warning

# Filter by event source
sus /evidence --parse-evtx --evtx-sources Microsoft-Windows-Security-Auditing

# Combine filters
sus /evidence --parse-evtx \
    --evtx-event-ids 4624,4625,4648,4672 \
    --evtx-levels Warning,Error,Critical \
    --evtx-sources Microsoft-Windows-Security-Auditing

Output Formats

# Export to CSV format (default, timeline-friendly)
sus /evidence --parse-evtx --evtx-format csv --evtx-output events.csv

# Export to JSON format (structured with full metadata)
sus /evidence --parse-evtx --evtx-format json --evtx-output events.json

# Generate summary report
sus /evidence --parse-evtx --evtx-summary

# Custom output location
sus /evidence --parse-evtx --evtx-output /investigation/security_events.csv

Complete Forensic Workflow

# Full forensic analysis with all features
sus /evidence \
    --target KAPE_Triage \
    --system-snapshot \
    --collect \
    --parse-evtx --evtx-summary \
    --parse-registry \
    --generate-timeline json

# Multi-system event log collection
sus /servers \
    --tag-dir '/dc01:dc01' \
    --tag-dir '/web01:web01' \
    --parse-evtx \
    --evtx-event-ids 4624,4625,4648,4672,4720,4726,4740 \
    --evtx-summary \
    --generate-timeline csv

Command-Line Options

Event Log Parsing Flags

Flag	Description	Default
`--parse-evtx`	Enable Windows Event Log parsing	Disabled
`--evtx-event-ids <IDS>`	Filter by Event IDs (comma-separated)	All events
`--evtx-sources <SOURCES>`	Filter by event sources (comma-separated)	All sources
`--evtx-levels <LEVELS>`	Filter by levels (Critical,Error,Warning,Information,Verbose)	All levels
`--evtx-output <PATH>`	Custom output file path	`output_dir/evtx_events.{format}`
`--evtx-format <FORMAT>`	Output format (csv or json)	`csv`
`--evtx-summary`	Generate event summary report	Disabled

Output Formats

CSV Format

Timeline-friendly format with one row per event:

Timestamp,EventID,Level,Source,Computer,User,Channel,RecordID,ProcessID,ThreadID,EventData
2024-01-15T10:30:45.123Z,4624,Information,Microsoft-Windows-Security-Auditing,DC01,S-1-5-21-...,Security,12345,1234,5678,"{...}"
2024-01-15T10:31:12.456Z,4625,Warning,Microsoft-Windows-Security-Auditing,DC01,S-1-5-21-...,Security,12346,1234,5679,"{...}"

Fields:

Timestamp: Event creation time (ISO 8601)
EventID: Numeric event identifier
Level: Event severity level
Source: Event provider/source name
Computer: Computer name where event occurred
User: User SID (if available)
Channel: Event log channel (Security, System, Application, etc.)
RecordID: Unique event record identifier
ProcessID: Process ID that generated the event
ThreadID: Thread ID that generated the event
EventData: Event-specific data (JSON escaped for CSV)

JSON Format

Structured format with complete metadata:

[
  {
    "timestamp": "2024-01-15T10:30:45.123Z",
    "event_id": 4624,
    "level": "Information",
    "source": "Microsoft-Windows-Security-Auditing",
    "computer": "DC01",
    "user": "S-1-5-21-...",
    "channel": "Security",
    "event_data": {
      "SubjectUserSid": "S-1-5-18",
      "SubjectUserName": "DC01$",
      "TargetUserSid": "S-1-5-21-...",
      "TargetUserName": "Administrator",
      "LogonType": "2",
      "IpAddress": "192.168.1.100"
    },
    "message": null,
    "record_id": 12345,
    "process_id": 1234,
    "thread_id": 5678,
    "keywords": "0x8020000000000000",
    "task": "12544",
    "opcode": "0"
  }
]

Summary Report Format

When --evtx-summary is enabled, a JSON summary report is generated:

{
  "total_events": 15432,
  "event_id_counts": [
    [4624, 5421],
    [4634, 5419],
    [4672, 1234],
    [4688, 2145]
  ],
  "source_counts": [
    ["Microsoft-Windows-Security-Auditing", 14521],
    ["Microsoft-Windows-Kernel-General", 911]
  ],
  "level_counts": [
    ["Information", 14123],
    ["Warning", 891],
    ["Error", 418]
  ],
  "time_range": [
    "2024-01-15T00:00:00.000Z",
    "2024-01-15T23:59:59.999Z"
  ],
  "unique_computers": ["DC01", "WEB01", "DB01"],
  "unique_users": ["S-1-5-21-...", "S-1-5-21-..."]
}

Key Security Events

The parser automatically detects forensically significant security events:

Logon/Logoff Events

4624: Successful logon
4625: Failed logon attempt
4634: Logoff
4647: User-initiated logoff
4648: Explicit credential logon
4672: Special privileges assigned to new logon

Account Management

4720: User account created
4722: User account enabled
4723: Password change attempt
4724: Password reset attempt
4725: User account disabled
4726: User account deleted
4740: User account locked out

Group Management

4728: Member added to security-enabled global group
4732: Member added to security-enabled local group
4756: Member added to security-enabled universal group

Network Activity

4776: NTLM authentication attempt
4778: RDP session reconnected
4779: RDP session disconnected
5140: Network share accessed
5145: Network share access check

Forensic Analysis Workflows

1. Incident Response - Unauthorized Access Investigation

# Focus on authentication and account activity
sus /evidence --parse-evtx \
    --evtx-event-ids 4624,4625,4634,4648,4672,4720,4722,4726,4740 \
    --evtx-summary \
    --generate-timeline json

# Review the summary for anomalies:
# - High number of failed logons (4625) → Brute force attack?
# - Account creation (4720) at unusual times
# - Account lockouts (4740)
# - Special privilege assignments (4672)

2. Lateral Movement Detection

# Track RDP and network share access
sus /evidence --parse-evtx \
    --evtx-event-ids 4624,4648,4778,4779,5140,5145 \
    --evtx-format csv \
    --generate-timeline csv

# Analyze timeline for:
# - Logon type 10 (RDP) from unusual sources
# - Explicit credential usage (4648)
# - Network share access patterns
# - Session connections across multiple systems

3. Privilege Escalation Investigation

# Monitor privilege changes and group modifications
sus /evidence --parse-evtx \
    --evtx-event-ids 4672,4728,4732,4756 \
    --evtx-summary

# Look for:
# - Unexpected special privilege assignments (4672)
# - Additions to Domain Admins or local Administrators
# - Privilege escalation during incident timeframe

4. Security Audit

# Comprehensive security event analysis
sus /evidence \
    --parse-evtx \
    --evtx-sources Microsoft-Windows-Security-Auditing \
    --evtx-levels Warning,Error,Critical \
    --evtx-summary \
    --parse-registry \
    --generate-timeline json

# Review all security warnings and errors
# Cross-reference with registry artifacts and timeline

Integration with Other Features

With Artifact Collection

# Collect and parse event logs in one pass
sus /evidence --target KAPE_Triage --collect --parse-evtx

Collected .evtx files are:

Analyzed for patterns and suspicious content
Copied to output/collected/ with metadata preservation
Parsed for forensic artifacts
Included in the artifact manifest

With Timeline Generation

# Create unified timeline including event log timestamps
sus /evidence --parse-evtx --generate-timeline csv

Timeline includes:

File creation, modification, and access times
Event log event timestamps
System snapshot capture time
Artifact collection timestamps

With Registry Parser

# Correlate event logs with registry artifacts
sus /evidence --parse-evtx --parse-registry

Cross-reference:

Logon events (4624) with UserAssist execution evidence
Account creation (4720) with profile creation times
RDP connections (4778/4779) with network history
Application execution events with ShimCache/Amcache

With System Snapshot

# Capture live system state before event log analysis
sus /evidence --system-snapshot --parse-evtx

System snapshot provides context:

Running processes at analysis time
Active network connections
Logged-in users
System configuration

Platform Support

Windows

✅ Full support: Native parsing with all features
✅ Offline analysis: Parse .evtx files without running on Windows
✅ No admin required: Read-only access to event log files

Linux/macOS

✅ Full offline support: Parse Windows .evtx files on any platform
✅ Cross-platform forensics: Analyze Windows event logs from Linux/macOS
✅ DFIR workflows: Integrate with Linux-based forensic toolkits

File Detection

The parser automatically detects .evtx files during analysis:

Files with .evtx extension
Located in typical Windows event log directories:
- %SystemRoot%\System32\winevt\Logs\
- Windows\System32\winevt\Logs\
Custom locations specified by the analyst

Performance Considerations

...

Limitations

Message localization: Event messages are not localized (requires Windows message DLL parsing)
Custom event providers: Some third-party providers may have incomplete parsing
Corrupted logs: Damaged .evtx files may fail to parse completely
Binary event data: Some events contain binary data not fully decoded

Security Considerations

Privacy

Event logs may contain sensitive user information (usernames, SIDs, IP addresses)
Review and sanitize event data before sharing
Consider data protection regulations (GDPR, CCPA, etc.)

Chain of Custody

Event log parsing preserves original timestamps
SHA256 hashes of original .evtx files in artifact manifest
Export timestamps recorded for auditability

Legal and Ethical

Obtain proper authorization before analyzing event logs
Follow organizational policies and legal requirements
Document analysis procedures and findings
Maintain evidence integrity

Troubleshooting

No .evtx Files Found

No .evtx files found to parse

Solution: Ensure the scan path includes Windows event log directories or collected .evtx files.

Parser Errors

Failed to parse evtx file: ...

Causes:

Corrupted .evtx file
Unsupported event log format
Insufficient permissions

Solution: Check file integrity, verify format, ensure read access.

Empty Output

Event log parsing: 0 files, 0 events

Causes:

Filters too restrictive (Event IDs, levels, sources)
No matching events in logs

Solution: Relax filters or verify event log contents.

Best Practices

Start with summary: Use --evtx-summary to understand event distribution
Filter strategically: Use Event ID filters to focus on relevant events
Combine with timeline: Generate timeline for temporal correlation
Cross-reference: Correlate event logs with registry artifacts and file analysis
Document findings: Record analysis methodology and key observations
Preserve originals: Use --collect to preserve original .evtx files
Export both formats: CSV for timeline analysis, JSON for detailed review

Examples

Example 1: Quick Security Audit

sus /C/Windows/System32/winevt/Logs \
    --parse-evtx \
    --evtx-sources Microsoft-Windows-Security-Auditing \
    --evtx-summary

Example 2: Logon Investigation

sus /evidence \
    --parse-evtx \
    --evtx-event-ids 4624,4625,4634,4648 \
    --evtx-format csv \
    --evtx-output logon_events.csv \
    --generate-timeline csv

Example 3: Complete Forensic Analysis

sus /evidence \
    --target KAPE_Triage \
    --system-snapshot \
    --collect \
    --parse-evtx --evtx-summary \
    --parse-registry \
    --generate-timeline json \
    --output-dir /investigation/case-2024-01

Example 4: Failed Logon Analysis

sus /evidence \
    --parse-evtx \
    --evtx-event-ids 4625 \
    --evtx-levels Warning,Error \
    --evtx-format json \
    --evtx-output failed_logons.json

Future Enhancements

Planned features for future releases:

Event message localization using Windows message DLLs
Real-time event log monitoring mode
Advanced correlation with process execution artifacts
Automated anomaly detection in event patterns
Integration with threat intelligence feeds
Support for additional event log formats (XML, ETL)

References

Microsoft Event Log Documentation: https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging
Windows Security Log Encyclopedia: https://www.ultimatewindowssecurity.com/
KAPE Documentation: https://www.kroll.com/kape
SANS DFIR Resources: https://www.sans.org/digital-forensics-incident-response/

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation