Home

Whodunnit is a forensic tool initially created with the intention of allowing the user to quickly sort windows event logs based solely on the user that was responsible for the generation of that log. Over time, this has evolved to allow for filtering on far more criteria than simply a username. The overreaching goal of this project was to reduce the time at keyboard for a forensic investigator, by allowing for the scraping and sorting process to be scripted, and that is still the end goal.

Whodunnit allows for a user to read windows event logs either from a previously exported dump, or from the local machine. At the time, it reads all the logs that it has access to, meaning that in order to acquire the Security Logs, it must be run with proper permissions. Following reading in logs, the user has the option to load a filter from a previously exported filter, or create a custom filter.

Currently, there are 6 properties that can be used to filter the logs loaded, including usernames, both a starting and ending date and time, event codes, event types, and event sources. Each property is configurable through the tool when run with a GUI.

The active filter is applied immediately after backing out of the editing menu, or immediately after loading a filter from a file. This may take a significant amount of time, especially if system logs are included, or if a significant number of logs are being sorted through. The filtering algorithm is currently O(n * (j + k + l)) where n is the number of logs to filter through, note that the sources are stored independently, and only sources in the current filter are looked at. [j,k,l] are the lengths of usernames, event codes and event types lists.

The display function is intended to give the user a quick glimpse at how many logs will be exported compared to the total number read in. As such, the display function does not list out all of the logs read in. Instead, a table is printed with the numbers of logs in each log source, both before and after filtering them.

Finally, the export function allows the user to write logs to a file. The user is prompted to select whether to export all logs, or only logs matching the current filter. Then the user is prompted for a file path. An XML file is written to that path, containing either all or only the filtered logs, dependent on the user’s selection.