There are several methods that a responder can utilize in the acquisition of the Windows event logs. Ideally, log files should be sent to a SIEM, to allow the responders to search log entries across the enterprise. Unfortunately, many organizations face a significant hurdle in terms of storage costs with commercial, or even open source, platforms. The result is that they often must trade off the cost of aggregating these logs, by allowing the local systems to handle storage.

Since most of these logs are on the local system, responders will need to use techniques to gather them. The first of these techniques is to simply copy the event logs from the local system to some type of removable media. Simply navigate to the default directory C:WindowsSystem32winevtLogs, and copy the pertinent logs. This method does require local access and a good deal of interaction with the local system. It is incumbent on the responder to document every action they took on the system, for proper reporting.

Responders also have the option of scripting the acquisition of log files through simple batch scripts. The acquisition can take place along with other actions to acquire evidence from a local system. For example, the following screenshot shows the acquisition of four Windows event log types from a local system:

These types of scripts can be run from a USB device or through remote sessions, thereby reducing the amount of interaction with the system.

Chapter 5, Acquiring Host-Based Evidence, introduced the tool CyLR.exe for the local acquisition of evidence. One of the key sets of evidence that CyLR.exe acquires is the Windows event logs. As was previously indicated, these log files can be acquired from the local system and exported to a USB. Another option that will be explored in this section is the use of CyLR.exe to acquire Windows event logs and forward them to the Skadi log review platform. Skadi will be addressed later on in this section, but first, CyLR.exe will be run against a system, and the output sent to the Skadi server.

To acquire the log files from a local system and send them to a Skadi instance, proceed as follows:

1. Open the Windows Command Prompt as administrator.
2. Navigate to the directory where the CyLR.exe file is located.
3. Enter the following command into the Command Prompt:

C:UsersJSmithDesktop>CyLR.exe -s 192.168.207.130:22 -u admin -p password

In the previous command, the -s is the IP address or domain name of the remote system where the CyLR.exe output is sent. In this case, this compressed evidence file will be sent to the system 192.168.207.130 via SFTP. The -u is the username of the account utilized to access the remote system, and, finally, -p is the password for the account related to the remote system.

4. Just as with a local acquisition, CyLR.exe will run, and the following will be visible in the Command Prompt:

This remote capture technique can be accomplished via any remote access tool available. The one distinct advantage of this method is the ability to acquire log data along with the other evidence that CyLR.exe captures, and automatically forward it to a central repository. This central repository can be the Skadi instance, or simply an SFTP server that is configured to accept this data.

Depending on the incident, there may be a significant amount of data. In fact, it may be too much for a responder to examine manually. In those cases, it is necessary to triage that data to determine what log entries are most important.