LogonTracer

LSE toolsLSE toolsLogonTracer (160)LogonTracer (160)

Tool and Usage

Project details
LicenseCustom license
Programming languagePython
AuthorShusei Tomonaga
Latest release1.3.0 []

Project health

85
This score is calculated by different factors, like project age, last release date, etc.

Why this tool?

LogonTracer is a tool to investigate malicious logins from Windows event logs with visualization capabilities.

How it works

LogonTracer uses a predefined set of events to find those related to the authentication process. Based on the interactions it shows a visualized representation of the event together with the related hosts. The web interface itself is powered by Flask with data stored in a Neo4j database. Visualization is done using Cytoscape.

Background information

Related Windows event IDs:

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

Usage and audience

LogonTracer is commonly used for criminal investigations, digital forensics, or learning. Target users for this tool are forensic specialists, security professionals, and system administrators.

Features

  • Docker support
  • Web interface

Tool review and remarks

The review and analysis of this project resulted in the following remarks for this security tool:

Strengths

  • + More than 500 contributors
  • + The source code of this software is available

History and highlights

  • Demo at Black Hat USA 2018 Arsenal

Author and Maintainers

LogonTracer is under development by Shusei Tomonaga.

Installation

Supported operating systems

LogonTracer is known to work on Linux, macOS, and Microsoft Windows.

Dependencies

Several dependencies are required to use LogonTracer.

  • Cytoscape
  • Flask
  • Neo4j
  • Neo4j JavaScript driver
  • Python 3

LogonTracer alternatives

Similar tools to LogonTracer:

64

Bitscout

Bitscout is a security tool that allows professionals performing digital forensics remotely. The toolkit creates a live-cd for this purpose.

64

dfis

Digital Forensic Investigative Scripts, or dfis, is a collection of scripts that can be used during forensic investigations.

64

FIR

FIR is an incident response tool written in the Django framework. It provides a web interface to deal with the creation and management of security-related incidents.

All LogonTracer alternatives

This tool page was updated at . Found an improvement? Help the community by submitting an update.

Related tool information

Categories

This tool is categorized as a digital forensics tool.

Related terms

Authentication