Events-Ripper/usage.txt at main · keydet89/Events-Ripper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Usage
  To use Events-Ripper, start by creating the events file. Copy/extract Windows Event Log *.evtx files to a
  central location, and then use the included wevtx.bat to create an events file:

  wevtx.bat c:\case\*.evtx c:\case\events.txt

  Note that wevtx.bat relies on LogParser, which is included here, but also available from Microsoft. Wevtx.bat
  also uses evtxparse.exe, which (along with it's .pl source code) is also included in this distribution. The
  batch file does not do any error checking, so if wevtx.bat "fails" for some reason, try removing some of the
  *.evtx files.

  You can then add other timeline events data, using any of the tools in the Tools repository to this Github.

  Once you've completed adding data to the events file, and you're ready to parse the events file into a
  timeline (or following doing so), you can easily create additional context/pivot points by running erip.exe.

  Similar to RegRipper, you can run a single plugin against the events file:

  erip -f c:\cases\events.txt -p failedlogins

  Or, you can run *all* plugins (you're so very welcome, Dray) against the events file:

  erip -f c:\cases\events.txt -add

  You can also list all of the plugins available:

  erip -l

  You can also list the plugins in CSV format:

  erip -l -c

  Simply redirect the output to a file, and open that file in Excel.