Following on from the previous [DFIR TOOLS] posts.
- [DFIR TOOLS] Timeline Explorer, what is it & how to use!
- [DFIR TOOLS] AmcacheParser, what is it & how to use
- [DFIR TOOLS] AppCompatCacheParser, what is it & how to use!
- [DFIR TOOLS] bstrings, what is it & how to use!
This time we we are going to talk about one of my favourite tools EvtxECmd.
So, what does Mr Zimmerman say about it:-
But it is way more than just that, coupled with ‘Timeline Explorer’ it is a ridiculously powerful tool.
Before I get into it there is a fantastic video by my friend Richard/Mr 13 Cubed that I urge you to watch as he explains it all better than I ever could.
What is EvtxECmd?
Well, as you can see if the video above it parses the event logs into a more usable format like CSV so we can load it into a viewer like ‘Timeline Explorer’ for investigation, because it is in ‘Timeline Explorer’ we can then dig down like into the Event ID and Login Type etc.
I won’t go over what has already been written by Zimmerman himself so check out his posts:-
http://windowsir.blogspot.com/2019/05/evtxecmd.html
https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html
Regards
Alex