The steps for event log analysis with FullEventLogView are as follows:
- The first thing you should do after starting the tool is choose the data source. To do this, go to File - Choose Data Source, or just press F7. As you can see in the following figure, there are three options available:
-
- Loading logs from the computer you are running the tool on
- Loading logs from a remote computer
- Loading logs from a folder you previously exported (from a forensic image, for example)
Figure 7.8. Choosing data source in FullEventLogView
- By default, FullEventLogView shows events only from the last 7 days. If you need a longer period, go to Options - Advanced Options (or press F9), and choose Show events from all times. You can also choose a time period to show, both in local time and GMT, and filter event logs by level, event ID, provider, and channel.
Figure 7.9. FullEventLogView Advanced Options
- Once you have applied all the filters you need and chosen the data source, you will see all the available event logs in the main window of FullEventLogView. This is shown in the following figure:
Figure 7.10. Viewing event logs from a folder exported from an image
An examiner can sort the logs by any column available. Also, you can search through the logs: go to Edit - Find, or just press Ctrl+F.