grokevt(7)																grokevt(7)

NAME

       GrokEVT - a collection of scripts built for reading windows event log files.

DESCRIPTION

       This  document  serves as an overview to using the GrokEVT suite of tools. Please see the man pages for each tool for specific command-line
       options.

USING

       Using GrokEVT on a set of windows partitions is a three stage process. One must first mount the partitions and configure the system's  pro-
       file. Next, grokevt-builddb(1) must be run to extract the necessary information from these partitions.  Finally, grokevt-parselog(1) may be
       run to use this information to convert the logs to something useful.

       Mounting and configuration:

       This is the most labor-intensive step of the process. There are several technical reasons why this cannot be simpler, and  it  is  unlikely
       many will be resolved anytime soon. (Sorry, blame the vendor who produced these logs that you wish to convert.)

       First  mount  the  partitions  used  by your windows system.  Specifically, mount any partition that has software installed on it. (You can
       probably get away with not mounting ones with no software, or no software that produces events in the event log.)   This  includes  windows
       shares, if you have any with software installed on them.

       The  key  point	when  mounting partitions or shares, is that you must mount them with case-insensitive filenames. To do this in Linux, you
       should be able to use the NTFS option 'posix=0', or with type vfat this appears to be the default. On FreeBSD, one can use  the	-i  option
       with  NTFS  and mount_ntfs, but this hasn't been tested. (More research is necessary in this area. Please let me know if case-insensitivity
       is available on other *NIXes and what the options are.) All of this, of course, depends on your version of mount and related software.  See
       mount(8) for more information.

       Once  you  have all necessary filesystems mounted for your windows image, you need to configure GrokEVT so it knows where everything is. If
       you look in the main configuration directory, (by default at '/usr/local/etc/grokevt') you'll find a  sub-directory  called  'systems'.	In
       there  is  a  set  of system configuration profiles. Each directory under 'systems' represents the configuration for a single windows host.
       You may create directories here of any name. It is suggested you use the host name of the system you wish to extract logs from.

       By default, there will be one system configuration there already, named 'example'. I suggest you make a full copy of this, and edit it from
       there to create your own configuration:

	      # cd /usr/local/etc/grokevt/systems
	      # cp -r example mysystem

       Now that you have your own configuration, take a look at the files under this directory:

	      path-vars/%SystemRoot%
	      system-registry
	      drives/c:
	      drives/d:

       Each  file represents a single configuration setting. The first line of every file is the setting, all others are ignored. You should start
       by configuring your drive letters. These drive letters need to map to the *NIX path of the drives. So, if you  mounted  your  C:  partition
       under '/mnt/win/c', then you should do the following:

	      echo /mnt/win/c > drives/c:

       This will of course, overwrite that file with your actual mount point for the C: drive. Do this for all drives mounted on your windows sys-
       tem.

       Next, you need to configure your %SystemRoot% path variable.  Since the registry often references files in relation to  this  variable,	we
       need  to  know where it is on your system.  Typically, on W2K this should be 'C:WINNT'. On other windows systems it is often 'C:Windows'.
       This path may be referenced as a full windows path (with drive letters) or as a *NIX path.

       Finally, you need to set the path of the system registry. This path must be a *NIX path, and not a windows path. It should be located under
       your  %SystemRoot%.  For  instance,  if	you  mount  a  W2K machine's C: on '/mnt/win/c', this path will probably be: /mnt/win/c/WINNT/sys-
       tem32/config/system

       This will vary from system to system, but if you have ever done any forensics, you should be able to find the correct path pretty quickly.

       Using grokevt-builddb(1):

       Once you get past the mounting and configuration step, you're in good shape. To extract the necessary information from the system you  just
       mounted,  you  just  need  to  decide where you want to store the output database. Based on the example paths above, one could run grokevt-
       builddb(1) like so:

	      grokevt-builddb mysystem /var/db/grokevt/mysystem

       Or something similar. This step will take some time, as a lot of files need to be parsed. You will likely get some warnings  about  missing
       DLLs  and possibly service removals. This is normal if software on the windows system failed to clean up the registry correctly when it was
       un-installed. You might want to record this information though, if later you find you are missing a lot of message templates  in  your  log
       output.

       Now that you have finished this step, you have fully extracted all information needed to interpret the event logs.

       Using grokevt-parselog(1):

       To run grokevt-parselog(1), you must specify the database directory that you generated with grokevt-builddb(1). Initially, you will want to
       find out what event logs were extracted by running:

	      grokevt-parselog -l /var/db/grokevt/mysystem

       This will print out all available event log types, based on information found previously in the system's registry. Then you may view one of
       those logs simply by dropping the -l option, and adding it's name as the second parameter. For instance, to view the 'System' log:

	      grokevt-parselog /var/db/grokevt/mysystem System

       See the grokevt-parselog(1) man page for further options.

       Finding and Parsing Log Fragments:

       One  may find it useful to parse deleted log files or fragments of log files found in a system's RAM dump. A special-purpose tool, grokevt-
       findlogs(1) is included in this distribution which makes finding log fragments easy. It can find even a single log record by itself with  a
       relatively low rate of false positives.

       Suppose one has a file, dump.img, which contains an image of a system's RAM, or perhaps the unallocated blocks of a filesystem (as might be
       produced by The SleuthKit's dls(1)). One could search this dump by running:

	      grokevt-findlogs dump.img

       This will produce a listing of all hits in the file, which may include header records, cursor records, or log records, offsets and contigu-
       ity information to help one eliminate any false positives.

       Supposing we found a log fragment in this dump that we're interested in, we could simply use dd(1) or some other tool to carve out the rel-
       evant data in to a file named fragment.evt. We'd then need to find a way to associate this log with a set of message  templates.   This	is
       what  grokevt-addlog(1) is for. Let's take a guess that the fragment.evt was originally a part of System log. We would add the log into our
       previously built message database by running:

	      grokevt-addlog /var/db/grokevt/mysystem fragment.evt System-fragment System

       Finally, we can parse the log by simply specifying the newly imported name with grokevt-parselog(1):

	      grokevt-parselog /var/db/grokevt/mysystem System-fragment

       If we found that most of the log entries didn't have associated message templates (which would result in lots of warnings  to  stderr),	we
       would  be  pretty  that fragment.evt really wasn't based on a System log. Simply re-importing it as another log type (and a different name)
       would let us parse it again as if it were of another type.

       Please see the grokevt-findlogs(1) and grokevt-addlog(1) man pages for more information.

CREDITS

       This man page written by Timothy D. Morgan

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY	WARRANTY;  without  even  the  implied	warranty  of  MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more details.

SEE ALSO

       grokevt-addlog(1) grokevt-builddb(1) grokevt-findlogs(1) grokevt-parselog(1) grokevt-ripdll(1) reglookup(1)

File Conversion Utilities					   20 March 2008							grokevt(7)