Post

Windows Forensics using Hayabusa

Posted Updated
By Jaakko Oja
1 min read
Windows Forensics using Hayabusa

Hayabusa

Hayabusa Banner

If you're doing Windows forensics or incident response related-CTF challenges, you've probably heard about Hayabusa, that handy open-source tool that makes digging through Windows event logs actually bearable. It's like having a security analyst buddy who never sleeps, constantly sifting through logs looking for suspicious stuff.

It's free and open source, so you can grab it from their GitHub and start using it today: Yamato-Security/hayabusa

Here are the commands I find useful - the ones that actually save me time when I'm knee-deep in event logs:

Simple check

hayabusa log-metrics -f "filename".evtx
Provides basic file metadata and event statistics - perfect for initial assessment.

Log Metrics

Event ID analysis

hayabusa eid-metrics -f "filename".evtx
Shows the most common Event IDs and their counts - great for identifying normal vs. abnormal activity patterns.

Event ID Metrics

Basic timeline creation

hayabusa csv-timeline -f "filename".evtx -o timeline.csv
Creates a basic forensic timeline in CSV format that's easy to open in Excel or other analysis tools.

CSV Timeline

Logon activity summary

hayabusa logon-summary -f "filename".evtx
Provides an overview of successful and failed logons - essential for detecting brute force attacks or unauthorized access.

Logon Summary

Search for specific keywords

hayabusa search -f "filename".evtx -k "mimikatz"
Searches for specific threat indicators or suspicious tools in the event logs.

Keyword Search

Quick minimal analysis

hayabusa csv-timeline -f "filename".evtx -p minimal -o quick_scan.csv
Perfect for rapid assessments when you need quick results without noise.

Identify critical systems

hayabusa config-critical-systems -f "filename".evtx
Automatically identifies domain controllers, file servers, and other critical infrastructure.

Practical Workflow Tips

  1. Start with metrics: Always begin with log-metrics and eid-metrics to understand your data
  2. Use profiles wisely: Choose minimal for quick scans, detailed for comprehensive analysis
  3. Filter by level: Use -l high,critical to reduce noise in large datasets
  4. Export to CSV: Always save your results for further analysis in spreadsheet tools
  5. Combine with other tools: Use Hayabusa outputs as input for timeline analysis in other forensic tools, for example Zimmermann Tools

Remember: Hayabusa is particularly powerful for detecting lateral movement, persistence mechanisms, and privilege escalation techniques commonly used by attackers.

:)

Forensics, Windows
forensics hayabusa windows blueteam
All rights reserved. Any use of my content is strictly prohibited!