There are various tools and methods for collecting Windows Event Logs from Windows machines, whether they are live or powered down, and either locally or remotely.
To export Windows Event Logs from a source machine in live mode, the command-line utility wevtutil proves to be highly efficient in retrieving .evtx files.
evtx_collector.ps1For a more streamlined approach, you can utilize a wrapper script called evtx_collector.ps1, available in this GitHub repository. This script enables users to easily export all Windows Event Log files into a designated folder, with a default output location: .\Logs.
Execute the script with the appropriate parameters to collect the logs. The following command prevents compression, resulting in the .evtx files being stored in their original/unpacked format. This PowerShell command extracts Windows Event Logs to a folder D:\export\Logs:
.\evtx_collector.ps1 -DestinationFolder D:\export\Logs\ -NoCompress
The -NoCompress parameter ensures that the collected .evtx files are not compressed, allowing them to remain in their original state and be easily accessible for further analysis.
Important Considerations
During the data collection process, it is crucial to avoid any manipulation of the evidence. Always store the collected data on external sources such as network drives or USB drives to maintain the integrity of the logs.