Windows event log files form a very important part of Windows system forensics. All the application, security, and system events in the event logs provide important information about any hardware, software, and system components, and monitor security events on a local or remote computer. In short, event logs can help you identify and diagnose the source of current system problems, or help you predict potential system problems.
For example, events like valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files are very important for Windows forensic investigators. GrokEVT is one such Python implementation that helps you read Windows® NT/2K/XP/2K3 event log files.
It is a collection of python scripts that have been released under GNU GPL license. It does pretty much everything – extract the event records from the file, search the Registry for message files, then extract the message strings from the file. So, you see, it not only works with the Windows event log files (.evt), but also registry. So, when you have an image for a Microsoft Windows operating system you would want to perform a forensic investigation on, GrokEVT is the tool which will help you with it. It will surely help you to locate event records in on the disk, and provide you means to extract it.
Now, since this is an on going project, it has been reported to work only on Linux & FreeBSD as according to the authors tests, those are only the OS’es that natively allow case-insensitive filename mounting options. It will also work on Windows. You need software solutions like DD to work with.
All in all a very good python script. It does have a few dependencies though. You will need Python 2.3, RegLookup which must be in your $PATH and the ‘make’ program.
You can download the latest version – 0.4.1 here.
