We are electronic evidence experts

"Thank you for your help on [our] case.  Your affidavit was helpful in getting the evidence admitted.  Much appreciated!  -Diane."

Diane E. Citrino
Thacker Martinsek LPA
Cleveland, Ohio

Members

Forgot Username or Password

Events


04/30/2014- 12:00 Information In-Security

Vestige Views

As part of Vestige's on-going commitment to educating our clients, potential end-users and our peers in the industry, Vestige Views blog reflects some of the industry's foremost thought leadership.

LogParser is your friend

Posted by Greg Kelley
Greg Kelley
As a co-founder of Vestige and its current CTO, Greg is instrumental to Vestige’s forensic and e-Discovery ser...
User is currently offline
on Monday, 05 September 2011 in Technical

At one of our recent Tech Meetings (some background, we have bi-weekly 30-60 minute Tech Meetings at Vestige where we have some training on a topic, it is part of our continuing education program) I presented on LogParser (http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx). It is a free tool from Microsoft and is very handy for parsing event logs, web server logs and traversing file systems to get directory listings.

 

It is a command line driven application that uses SQL syntax for pulling various fields out of different objects and then outputting the data to another format. CSV is my favorite output format because then I can bring it into my database of choice. Sure, I can write a DTS in SQL Server for a specific input file type, but why reinvent the wheel?

For those of you that are dismayed over the fact that GSI removed the reporting of the record number from their Event Log Parser script, LogParser will pull that information from the event logs. If you get the standard "event log is corrupt" message, I recommend FixEvt (http://murphey.org/fixevt.html).

For those of you that have to parse through gigs and gigs of IIS log files, you can use LogParser to just pull out just those records you are interested in. Maybe you just want the 400s or 500s or maybe you are just looking for records from certain IP addresses. You can also create charts as an output which is great for presentations or to look analytically at say the most viewed webpages on the site in question.

What I really like using LogParser for is traversing file systems. You can recurse or not through a specific folder structure and you can grab data such as filenames, full path, MAC dates, attributes and even some of the internal metadata that is displayed when you right click on a file in Explorer and click on "Properties". You can also calculate MD5 hashes for each file. Neat, huh?

In testing, I found that even when you are calculating the MD5 hash on a file, the last access date is not modified. However, when traversing folders for information, the last access date of a folder is modified. Ah, but that is where someone got smart and provided a "preserveLastAccTime" parameter for LogParser. Set it to "On" and none of that data is altered. There is also another parameter that allows you to capture the MAC dates in UTC time. So here is another good option for collecting files from a computer if you cannot image it (such as in the case of a server that the owner does not want shut down).

There is an install package for the application, but all that does is copy files to a folder on your computer. You can copy that folder structure to a CD/DVD or USB drive and then plug it into the computer you are collecting from and not have to run any installation routine. There is also a DLL that you can access from VB, C++, C# or the programming tool of your choice. Some people have already done that and there are GUI wrappers available on the internet.

The help file is great, just enough information but not too much (like some Microsoft help files are known to do in my opinion). Did I say that this application is free?

0 votes
Tags: Untagged
As a co-founder of Vestige and its current CTO, Greg is instrumental to Vestige’s forensic and e-Discovery services. Greg’s responsibilities include overseeing day-to-day operations, internal Information Systems infrastructure and performing as well as help managing the computer forensic investigations performed by Vestige.



Greg has over a decade of experience working in the computer industry. Greg’s various positions and responsibilities included custom software design and implementation, network management and security, database programming, disaster recovery and end-user support. For the past several years Greg has helped Vestige, and its predecessors become one of the few companies capable of performing computer forensic investigations. Greg has worked on criminal and civil litigations covering areas such as intrusion and incident response, intellectual property theft, fraud and uncovering assets. Greg has testified in State court and Federal court in both civil and criminal cases.



Greg holds the professional designations of Encase Certified Examiner and Digital Forensics Certified Practitioner. He is an active participant in the computer forensics industry having spoken at conferences such as Techno Forensics, ISS World, CEIC and PFIC.



While headquartered in Cleveland, Ohio, Vestige supports litigation across the United States. Much of our work does come from the Great Lakes Region, including Ohio, Pennsylvania, Indiana, Michigan and Illinois, but routinely support cases on a Nationwide (and international) basis.

Comments

Please login first in order for you to submit comments