As was highlighted, the use of triage tools is a useful first step, but any incident investigation where event logs are available will require the use of specialized tools to dig deeper into the data that they provide. The Windows operating system has a native event log viewer. In the experience of many responders, that viewer is more suited to limited troubleshooting than to a deep analysis of the event logs. There are several tools, either open source or commercial, that can be leveraged for event log analysis. SIEM tools provide one of the best types of tools, especially if they have the ability to analyze offline event logs or those logs that have been acquired through scripts or other tools. In this chapter, two tools will be discussed: Event Log Explorer and Skadi. Each of these tools is useful for event log analysis but has its own unique features that make it suited for different aspects of event log analysis.
For example, Event Log Explorer allows better filtering of results, along with its string searching ability. Event Log Explorer also has the ability to combine multiple sources. Other tools, such as Skadi, allow the remote acquisition of log files and also combine log entries with other data, such as master file table entries and registry key settings. The one drawback with Skadi is the time necessary to ingest and process the data for review. It is therefore up to the responder to choose which tool best fits the incident under investigation.