whodunnit icon indicating copy to clipboard operation
whodunnit copied to clipboard

Published 20 hours ago verified publisher icon S3mprGumb1

Metadata

A PS forensics tool for Scraping, Filtering and Exporting Windows Event Logs

Whodunnit

Parse, Filter and Present Windows Event Logs with ease, from the comfort and familiarity of a PowerShell Environment.

Interactive mode Menu Options

+ Read In Log Files
	+ Read from File
	+ Read from Local Machine
	? Read from Remote Machine
		?Requires PSRemoting
		?Requires Admin Creds to box
		
+ Set Active Filter
	+ Export Active Filter to File
	+ Load Filter From File
	+ Filter Options
		+ Username
			+Negative Selection
			
		+ Time Window
			+Start time
			+End time
			
		+ Event Types
			+Positive Selection

		+ Type
			+Positive Selection
		
		+ Source 
			+Positive Selection
			
			
+ Display Log Files
	+ Log files which match the active filter
		
+ Export Log Files
	+ Export all Read Log files
	+ Export all Log files that match active filter

Command Line Interface

Usage:
	whodunnit.ps1 -i=/full/path [-f=/full/path] [-o=/full/path]
	whodunnit.ps1 -l [-f=/full/path] [-o=/full/path]
	whodunnit.ps1 -r="$IPAddress" -u=$Username -p[=$Password] [-f=/full/path] [-o=/full/path]
	whodunnit.ps1 -c [-f=/full/path/old] [-o=/full/path/new]
	
Flags:
	-c, --create-filter=$PATH
		Creates a filter file at $PATH
		
		-f : copy existing filter file
		-o : output path

	-i, --input-file 
		Specify a previously exported file to read in
		
	-l, --local-logs
		Specify loading logs from local host
		
	-r, --remote-logs
		Specify loading logs from remote host
		Username is required, password can be prompted
		
		-u : Administrative Username to use
		-p : Administrative Password to use
		
	-f, --filter
		Load a filter from file
		
	-o, --output-file
		Specify a file to export logs matching filter to
		
Notes:
	If -o is omitted in any command, all output is dumped to standard output.
	If -f is omitted in any command, an empty filter is used.
	if -p has no value set, it will be prompted.

Branch Descriptions

Interactive_menu:

This branch was created to contain the changes made while working on an interactive menu.
Status: On Hold
Detailed: Created 10APR19
	  Put on hold 04SEP19

Roadmap

Branch Descriptions

Credit Where Credit is Due

Menu Creation

Metadata

16
Stars
3
Forks
Watchers

Owner

verified publisher icon S3mprGumb1

Metadata

A PS forensics tool for Scraping, Filtering and Exporting Windows Event Logs

Back