Wielview is an open-source computer forensics tool that can display summary as the result of Windows Event Log analysis based on the chosen function(s).
List of functions:
- Storage
- Showing detailed information of internal and external storages that have ever connected including the partition table, connected timestamps, and disconnected timestamps.
- Boot
- Showing list of boot up and sleep timestamps including the boot type.
- WLAN
- Showing list of wireless connection profiles that have ever connected including the connected and disconnected timestamps.
- Showing list of wireless connection profiles that don't have authentication.
- System Time Change
- Showing list of system time changes done manually by the user.
- Windows Defender
- Showing list of malware detected by Windows Defender.
- Showing list of malware detected but not protected by Windows Defender.
- User Logon/Logoff
- Showing list of user logon and logoff activities.
- Printer
- Showing list of printers that have ever connected and the printing activities including Microsoft Print to PDF.
- Microsoft Office
- Showing list of alerts that have ever appeared and the list of files that have ever been accessed by using one of Microsoft Office products.
- Showing list of files that have ever been accessed by using one of Microsoft Office products but the extension is not related to any Microsoft Office products.
- Powershell
- Showing list of commands run by using Powershell including the timestamps.
- Showing list of obfuscated commands run by using Powershell.
Wielview is developed by using Python scripting language and can be run on any command-line interface.
Wielview requires Python 3.
These are some python modules that should be installed:
- python-evtx
pip install python-evtx
- pandas
pip install pandas
- obfuscation-detection
pip install obfuscation-detection
You can simply install all the modules by using the command below (requirements.txt is needed).
pip install -r requirements.txt