PowerShell: Offline Windows Event Logs Analysis - Part 1

1. You already have the raw Windows Event log copy out from the Server using Forensics tools.
Default Event Log Location:
Windows Server 2003 Operating System : %WinDir%\System32\Config
Windwos Server 2008, 2012 R2 Operating System : %WinDir%\System32\Winevt\Logs


2. Repair the Event log!
If the file was not properly closed, the four fields will not have been synched and the file status byte will be odd.  When you attempt to open such a file with any viewer reliant upon the event log API, it will be reported as corrupt.  This frequently occurs in forensics when you pull the plug or do a live acquisition.  EnCase doesn't rely upon that API and will parse them without repair.  If you wish to use them in a viewer reliant upon the event log API, you'll need to repair the header.
To repair the event log file, you simply need to copy the four fields from the floating footer into their corresponding location in the header and then set the file status byte to any even value. Save and you are done.  It's really that simple. (http://www.stevebunting.org/udpd4n6/forensics/repaireventlogfile.htm)


Automated Windows Event Log Repair Tool:
    http://www.cwflynt.com/logFixer
    http://murphey.org/fixevt.html


3. Extracting the XML event log information from save Windows event log
Note: Please run the command line by line so that you can see what it does and the output result.

# Analyzing one event message from event log
# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name. Here we assigned the value to "$Event" variable.
PS C:\Users\mimi> $Event = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624} -MaxEvents 1

# We then view the event properties.
PS C:\Users\mimi> $Event | Format-List *

# Now we can view the array of message body values, however the property names are missing.
PS C:\Users\mimi> $Event.Properties

# Now we convert the event to XML and assign the value to "$eventXML" variable.
PS C:\Users\mimi> $eventXML = [xml]$Event.ToXml()

# Walla...now we get all the XML information from the message.
PS C:\Users\mimi> $eventXML.Event.EventData.Data

# Later we have to index each data element to access it.
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].name
PS C:\Users\mimi> $eventXML.Event.EventData.Data[0].'#text'


-----------------------------------------------------------------------------------------

Full running code:
1. Change the "Path" location to your Windows Event Log and save below Powershell code as "Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1"


-----------BEGIN-----------
#Extract Security.evtx event id 4624 - Logon Activities
#------------------------------------------------------

# Extract Security.evtx event id "4624" for logon activities from the full path to the saved log file name.
$Events = Get-WinEvent -FilterHashtable @{Path="D:\Sample_Event_Log\Win7\Security.evtx";Id=4624}

# Assign the Output file to store the output result.
$OutputFile = "D:\Sample_Event_Log\Win7\Security_Evtx_Event_ID_4624_output.csv"

# Parse out the event message data           
ForEach ($Event in $Events)
{           
    # Convert the event to XML           
    $eventXML = [xml]$Event.ToXml()           

    # Iterate through each one of the XML message properties           
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++)
    {           
        # Append these as object properties           
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
    }           
}           

# View the results with your favorite output method           
#$Events | Select-Object * | Out-GridView
$Events | Select-Object TimeCreated,MachineName,LogName,Id,SubjectLogonId,TargetUserName,TargetDomainName,WorkstationName,IpAddress,LogonType | Export-Csv $OutputFile -NoType

-----------END-----------
Run it 
PS C:\Users\mimi> .\Extract_Security_Evtx_Event_ID_4624_Logon_Activities.ps1

References:
https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors/
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
https://gallery.technet.microsoft.com/scriptcenter/Log-Parser-to-Identify-8aac36bd

Remote Desktop Protocol (RDP) Logging and Tracking sessions Logon/Logoff activity

Applies To:
Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista

Windows Event Log: Security Event
File Location : %windir%\system32\config\SecEvent.Evt
Event ID: 528 - A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
Type: 10 - RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.

More on Remote Desktop Services Availability

The New Way to Look at Users Properties

The Active Directory Administrative Center is another new component introduced by Windows Server 2008 R2. Many admins gave it a glance, thought to themselves "another ADUC, why bother?", and went back to their familiar old tool. If you like acctinfo.dll though, you should like ADAC.

With Win7 RSAT installed and the AD tools enabled (or RDP'ed into your Win2008 R2 servers for AD administration), run DSAC.EXE. You'll see this:

Here is the detail explanation from the expert http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx