ParseEvtx will parse Windows EventLogs and display the output. This plugin utilises "export_evtx.exe" to parse the EventLogs into an SQLite database.
The parser can be run across all EventLogs at once, or you can select individual EventLogs to run.
The output will display under Data Artifacts in the main Autopsy window.
This section will go over the different ways that you can install the ParseEvtx Plugin.
- To install the plugin first you must download a ZIP file containing all of the plugins. This ZIP file contains a number of Autopsy plugins.
- Unzip the ZIP file.
- Move the folder named Process_Evtx to the plugin directory.
- To figure out the plugin directory you can go to Tools > Python Plugins inside of the Autopsy Menu System and it should open the folder where the plugin should go.
- Restart Autopsy if it is running.
- Download the installer.
- Run the installer following the prompts.
- To run the plugin you can right click a folder inside of your datasource and run the Run Ingestion Modules options.
- A popup will appear. Select ParseEvtx in the list of plugins.
- Choose which EventLogs you wish to process.
- When entering an EventLog name into the field, ensure that the names are entered BEFORE selecting the Other checkbox. Names of eventlogs should be separated by a comma.
- Hit Finish.
- Your results should appear inside of Extracted Content on the main Autopsy screen.