A little bash script for discovering the Windows 7 activity
Often during the investigation on a computer we need to have quickly a response on the activity of the computer itself, so we need a tool says to us when the device was on and off. If we can take the file System.evtx placed in %SystemRoot%\System32\Winevt\Logs\System.evtx We could export it in CSV format using some tools or simply the EventViewer of our Windows. Let’s see what we can obtain, this is a piece of the file called system7.csv: We can see that the second field is filled by the timestamp (date and time) and the fourth field is filled by the EventId number. At this point, we can think to read the EventId and the timestamp and make a sort of timeline choosing only the events of On, Off, Crash, Sleep and Awake. We can do this using a Gnu/Linux OS or simply CygWin http://www.cygwin.com/ First of all we need to make a file containing the targets events: $ echo ",12," > events.txt ----- first entry needs only “>” operator. $ ec