Fri, Apr 16, 2021

Enhancing Event Log Analysis with EvtxECmd using KAPE

How much time are you spending manually parsing and sorting through event logs? With EvtxECmd, digital forensics professionals can optimize Windows event log analysis through its unique mapping feature. Created by Eric Zimmerman, EvtxECmd can be called via the EZParser Module in KAPE (another tool created by Eric Zimmerman) to process thousands of events in seconds and create structured CSV files that are much easier to read and manipulate.

In this session, Kroll’s Andrew Rathbun demonstrates how to run EvtxECmd through KAPE to expedite event log analysis and how to create your own custom Maps. 

Watch the Webcast Replay

Enhancing Event Log Analysis with EvtxEcmd using KAPE

This webcast covers:

  • Understand the basic KAPE workflow with the EZParser Module that calls EvtxECmd 
  • The general outputs from EZParser and how they are formatted 
  • How EvtxECmd’s unique mapping feature works 
  • What a Map looks like with EvtxECmd and how to create one on your own

Tools used in this session: 


Download Webcast Slides 

Notable Passages From Andrew Rathbun During the Presentation

On Application Logs 

Using Timeline Explorer, you can filter on the Application event log using the column header filter in the Channel column. As you can see me scrolling within the Providers column header drop down box, you can see all the different Providers that are logging events into the Application log. The Application event log is a great example of where many different and unrelated programs, services, etc. log events in the same location.

KAPE Event log analysis 

On Maps

The secret sauce for Eric’s EvtxECmd tool is Maps. Maps are used by EvtxECmd to extract data from parsed event logs and display the data into an easily digestible format (CSV) within various columns. Those columns are Map Description, Username, Remote Host, PayloadData1 through PayloadData6 and ExecutableInfo. These columns are proprietary to EvtxECmd’s outputed and not in any way related to how Windows records event log data.

Even though anyone can make a Map, ideally you want only the most useful Maps because there’s hundreds of events out there, but a lot of the events don’t record any data at all. 

On Lookup Tables

A Lookup Table is basically the data that is logged in the event data, looks like just a hex value, doesn't mean anything to me, probably doesn't mean anything to you, but it means something to Windows. And basically, we can take this value, translate it to “username is correct but the password is wrong,” and that is what will show up rather than the hex value on our CSV output when we are using EvtxECmd.

A Lookup Table is most commonly used to convert machine readable data logged within an event log into human readable data. Often, these values are recorded as what appears to be Hex values that, on the surface, don’t mean anything to you and I, but it means something to Windows. Using Microsoft’s official documentation, we can have EvtxECmd look up the meaning of the values that Windows records within certain event logs and translate it to something more meaningful. In this example, we can take this value, which looks like a Hex value, and translate it to “username is correct but the password is wrong,” and this is what will show up rather than the Hex value in our CSV output when we parse with EvtxECmd.

On Event Log Analysis with Maps

In this example, I parsed an event log dataset twice, once with an updated set of Maps, and again with the Maps folder deleted. Without Maps, you can see the aforementioned columns are not being used. Even though the columns aren’t populated with event log data, the data will always exist in the Payload column all the way to the right of the CSV. Looking at the example with Maps, you can see all the high fidelity, low hanging fruit, most important data of each event being put in the various columns by the Maps.

Event Log analysis without Maps

Enhancing Event Log Analysis with EvtxEcmd using KAPE

Event Log analysis with Maps

Enhancing Event Log Analysis with EvtxEcmd using KAPE

On Creating Custom Maps

In order to make your own Maps, you need to convert the EVTX to XML. And the way to do that is by running a command, just like you're going to parse with EvtxECmd, you would run EvtxECmd.exe-f then path to it. And then --CSV, or you'll just switch it to --XML and it'll output and XML.

evtxecmd.exe -f “path\to\evtx\file” --xml “output\path” 

At the bottom of every single Map there's documentation that also includes an example of the event. If you're working cases and you find an event that doesn't have a Map and you want to make a Map for it, you can scrub that event data by changing some of identifying data from the sou, and then just paste it in there.

Each of the Maps are a resource for learning about that event, so if there's any sort of blog posts, any sort of forum posts, any sort of YouTube video that's about that particular event, it should be at the bottom of every single Map in the Documentation section.

On Key Takeaways

The Maps are only as good as the author made them out to be. For instance, when you're dealing with the Regex examples, if you're not getting expected output, you may want to go look at the Map itself and see what the actual Regex is doing.

With regards to Microsoft Windows Partition-Diagnostic:1006, there's just no way you can organize and fit 80 different values of data into the PayloadData1 through PayloadData6 columns and maybe some overflow into Username, Remote Host, and Executableinfo. There's still so much that you're going to miss. The Payload column will always be worth examining to see all the data a particular event records.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Kroll Responder

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.