http://www.microsoft.com/downloads/d...displaylang=en
Log parser consists of three components, which are: 1) input engine, 2) SQL query engine, and 3) output engine. The input engine and output engines are truly incredible and, combined, make this tool shine. When investigating network intrusions, you are faced with analyzing logs from many sources, none of them being compatible with the other. Log parser can accept most any common log format and output it into one of many formats of your choosing. When you are done, you can combine all your disparate logs into one common format for analysis.
At any point in the process you can subject your logs to a query so that you narrow down the data to that which is relevant. While many GUI tools are out there that provide filters, even those that allow the user to build custom filters can't compare with the power of writing a custom SQL query in Log Parser.
As an intrusion investigator / forensic examiner, you are tasked with mastering many tools to get your work done. It would be nice if we only had to master a couple of tools, but such will never be the case. We can however, limit the number of tools we have to use if we make careful selections. Whenever you can use one tool that will handle multiple tasks instead for multiple tools for the same number of tasks, that should be your tool of choice. Log parser fits this criteria as it can process and query all the common logs formats and can address your file system and your registry as well, including those of remote systems.
The best way to get to know this tool is to use it daily in the administration of your systems. You can create batch files to run your SQL queries against your logs, place them in your scheduler, and have critical log reports sitting on your desktop each day when you come to work. By getting to know this tool and its capabilities in this manner, you can apply those acquired skills to forensic applications of this tool. In the end, you'll have better management of your systems and have a forensic tool that you'll find new uses for with every case you process.
At any point in the process you can subject your logs to a query so that you narrow down the data to that which is relevant. While many GUI tools are out there that provide filters, even those that allow the user to build custom filters can't compare with the power of writing a custom SQL query in Log Parser.
As an intrusion investigator / forensic examiner, you are tasked with mastering many tools to get your work done. It would be nice if we only had to master a couple of tools, but such will never be the case. We can however, limit the number of tools we have to use if we make careful selections. Whenever you can use one tool that will handle multiple tasks instead for multiple tools for the same number of tasks, that should be your tool of choice. Log parser fits this criteria as it can process and query all the common logs formats and can address your file system and your registry as well, including those of remote systems.
The best way to get to know this tool is to use it daily in the administration of your systems. You can create batch files to run your SQL queries against your logs, place them in your scheduler, and have critical log reports sitting on your desktop each day when you come to work. By getting to know this tool and its capabilities in this manner, you can apply those acquired skills to forensic applications of this tool. In the end, you'll have better management of your systems and have a forensic tool that you'll find new uses for with every case you process.
Leave a comment: