grokevt

Grokevt provides a suite of tools designed for forensics investigations involving Microsoft Windows event logs. The scripts work together on mounted Windows partitions to gather necessary components like registry entries, message templates, and log files, enabling conversion of binary event logs into human-readable output. This is particularly useful for analyzing system activity in forensic contexts.

The toolset includes utilities for building databases from Windows systems, parsing logs into CSV, extracting messages from DLLs, finding log fragments in memory dumps or disk images, and managing databases. It supports workflows where a database is first constructed from a target system, then used to decode multiple event logs.

Primarily targeted at incident response and digital forensics, grokevt aids in reconstructing timelines and events from Windows environments without needing the original system running.

Grokevt operates by first building a database tree using grokevt-builddb from a mounted Windows system's registry, message files, and templates. This database captures message resources via grokevt-ripdll, which extracts from PE-formatted DLLs into message databases. Logs are then parsed with grokevt-parselog using this database to decode binary .evt files into CSV, replacing message IDs with human-readable text from RVA lookups. Additional tools like grokevt-findlogs scan raw binaries for log fragments, and grokevt-addlog incorporates new logs into existing databases.