Any generous heart people can help me with their time? I am stuck in question no.2 of
“C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx” using Timeline Explorer. It documents the creation of two scheduled tasks. Enter the name of the scheduled task that begins with “M” and concludes with “r” as your answer.
I tried to do it and import using time explorer but the output is so much like 6000 lines, any hint on this or what is the best way to filter it?
i tried to filter “task”, “schedule” or “106” but seems can’t find the answer. I am missing something?
Yes. The first answer involves this: PS C:\Users\johndoe\Desktop\Get-ZimmermanTools\net6> .\MFTECmd.exe -f ‘C:\Users\johndoe\Desktop\forensic_data\kape_output\D$MFT’ --csv C:\Users\johndoe\Desktop\forensic_data\mft_analysis\ –csvf MFT.csv. The second answer involves this command: PS C:\Users\johndoe\Desktop\Get-ZimmermanTools\net6\EvtxeCmd> do: .\EvtxECmd.exe -f “C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx” --csv “C:\Users\johndoe\Desktop\forensic_data\event_logs\csv_timeline” --csvf kape_event_log.csv. Use TimeLine Explorer to view the csv files.