Monthly Archives: January 2014

Extracting user login events from Security.evtx with Log Parser [Updated!]

UPDATE – At the bottom of the page, I have included an Excel macro to help cleanup the CSVĀ output from Log Parser. Investigations usually center around what was happening, and when. In a corporate environment, things can sometimes get turned … Continue reading

Posted in Uncategorized | Leave a comment

Windows Reliability Monitor Forensic Artifacts [Updated!]

As a follow up to my earlier post on Reliability Monitor analysis, I have finished updating the ParseRacWmi tool to include the ability to parse the new Wmi.db format used by WIndows 8.1. You can download the tool here (SQL … Continue reading

Posted in Uncategorized | Tagged , , , | Leave a comment

Windows 7 Reliability Monitor Forensic Artifacts

The ParseRacWmi tool mentioned here has been updated! See this post for more information. ————————————- The Windows Reliability Monitor is a tool that runs by default on all editions of Windows 7 and 8, as well as Vista and Server … Continue reading

Posted in Uncategorized | Tagged , | 3 Comments

Timezone adjustment in Excel

One problem for any organization that spans timezones is reporting on log information. For example, my organization collects web proxy logs across the US and Europe. All of these logs are pulled into a central repository (Splunk – one of … Continue reading

Posted in Uncategorized | Tagged , | Leave a comment