You can download it here
Quick Log is a simple tool to visualize Windows logs in EVTX format, organized according to this work: https://cybersecuritynews.com/windows-event-log-analysis/ and designed for digital forensics courses using open-source tools, taught at Internet Solutions S.A.S, Bogotá, Colombia. It requires Windows 10 64-bit and a resolution of 1920x1080.
Logs are organized into workspaces.
A workspace is a "container" of logs that can contain one or more .evtx files from one or more machines running Windows. Before you can start viewing logs, you must create a new workspace or open a previously created one. By default, a newly created workspace does not contain log files; you must add logs after creating the workspace. Additional logs can always be added. A workspace can also be opened to continue reviewing logs and can be closed when necessary.
During log acquisition, Windows logs are read, and the most relevant fields are stored in a SQLite database. Once the reading and storage process is complete, the original log files are no longer needed, as the database will be used. Each log entry is a record in the database within the logs table, and each record contains the following fields with descriptive names:
TimeCreated, UserID, EventID, Machine, Level, LogName, EventMessage, EventMessageXML, and ActivityID.
TimeCreated:
The time the event was created, stored in UTC, so it must be adjusted to the correct time zone by extracting it from the log and using the evidence's time zone to establish the real time.
UserID:
The security descriptor of the user whose context is used to publish the event. For detailed information on this topic, refer to: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn743661(v=ws.11)
EventID:
The event identifier.
Machine:
The name of the machine where this event was logged.
Level:
The event level. The level indicates the severity of the event.
LogName:
The name of the event log where this event is recorded.
EventMessage:
The event message in the current locale.
EventMessageXML:
XML representation of the event. All event properties are represented in the event XML.
ActivityID:
A globally unique identifier (GUID) for the ongoing activity with which the event is associated.
The first three elements are for:
- Previewing
- Acquiring one or more log files
- Acquiring all .evtx files within a folder or path, allowing multiple logs from various machines to be added, organized in subfolders within a main folder, for example.
From the fourth element onward, events are categorized into areas of interest based on the work shown here with author credits to Forward Defence.
Displays logs according to the category selected in Basic Filters. Clicking on any row will display the full information in the text box on the right.
Displays the content of the selected row, allows search results to be highlighted, and enables comfortable reading of log content.
Options to create, delete, and assign labels, as well as to create, update, and delete comments.
Before you can use labels, you must create them using the Label Manager.
Now, simply click on the blank cell in the "Name" column.
Select a color in the "Color" column.
And then click "Save".
Now you can close the Label Manager window and return to it whenever you need to create or delete labels.
To apply labels, you must select the log or logs to which you want to apply the label.
Just click on each row or log to select it. Use the Ctrl or Shift keys to select multiple logs at once, just like in Windows Explorer.
Select multiple logs in a row by holding Shift.
Or by holding the Ctrl key, just like in Windows Explorer.
Now that you have selected the log or logs, simply click on "Add Label".
You will see a window with the labels created in the Label Manager:
Simply select the label you want to apply using the same selection method as for the logs, and click "Set Label".
Once the label is applied, it will look like this:
To add comments, select the log (only one) you want to add a comment to and click "Add Comment".
Use the text box to enter the comment you need.
Make sure to click "Save Comment".
Options to export the logs currently displayed in the log table to PDF or CSV.
Keep in mind that a comma-separated file (CSV) may cause issues when importing it into tools like LibreOffice or Excel. This is because the fields EventMessage and EventMessageXML may contain commas, which can lead to incorrect field separation.
For this reason, when exporting logs to CSV, the separator used is three consecutive characters:
***
Allows you to create a filter based on the timestamp of two logs, taking the earliest timestamp as the lower limit and the latest timestamp as the upper limit.
For example, this can be used to view all logs generated during a user's session.
First, select the two logs you want to use for the time range filter. Then, click the "Time Range" button.
You can also create a time filter for a specific number of minutes around an event's timestamp.
For example, if an event occurred at 14:01:31 and we use the "Minutes Around" option with 1 minute, it will filter all events between one minute before and one minute after, meaning from 14:00:31 to 14:02:31.
Displays operation messages.
Allows granular filtering of any field in each log.
Keep in mind that basic filters only display categorized events.
Basic custom filters can be created, including text search options; this text will be searched in the EventMessage and EventMessageXML fields.
Filters can be applied to all log fields. The search logic works as follows:
- Between different fields, the search applies an AND operation.
- Within the same field, it applies an OR operation.
For example, to search for all logs with EventID 5615, regardless of any other condition, the query would be:
If we add another condition, for example, the user S-1-5-18, the search will combine both conditions using an AND operator.
This means it will find all logs where the user is S-1-5-18 AND the EventID matches.
Now, let's say we want to get all logs where the user is S-1-5-18 and the EventID is 5615 or 5617.
Adding one more condition, for example, that the log contains the word Management.
This way, you can customize the filter to make it more granular and specific.
Searches within the EventMessage or EventMessageXML fields and allows the use of logical operators AND and OR.
For example, you can search for: -1001
Or search for: -1001 AND logontype'>2<
It will find matches whether AND or OR conditions are used within the EventMessage or EventMessageXML fields.
You can also use regular expressions (RegExp) for searching by enabling the Regexp option.
In the example above, -100[12].*?LogonType'>2<', we are searching for -1001 or -1002, followed by:
- Any character (
.) - Any number of times (
*) - That may or may not be present (
?) - Then LogonType'>2<'
This allows us to find all interactive logins for users 1001 and 1002.
The progress bar displays the loading progress of logs into the database as well as the log processing status.
The basic process involves loading one or multiple logs (usually all) from one or multiple machines, then searching for logs related to activities of interest, adding labels and comments, and finally creating a timeline of sessions or significant events, arranging them in chronological order.
The first step is to create a workspace.
Next, add logs using the "Acquire Logs" option for individual or multiple files, or use "Process Log Folder" to process all .evtx files inside a folder.
The logs will be stored in the database and classified based on predefined categories.
At the end of the process, all logs will be classified, and users found in the logs will be displayed.
The compiled program can be executed from a USB drive, external disk, or network folder without requiring installation.