Tool and Usage
|Latest release||1.4.0 |
Why this tool?
LogonTracer is a tool to investigate malicious logins from Windows event logs with visualization capabilities.
How it works
LogonTracer uses a predefined set of events to find those related to the authentication process. Based on the interactions it shows a visualized representation of the event together with the related hosts. The web interface itself is powered by Flask with data stored in a Neo4j database. Visualization is done using Cytoscape.
Related Windows event IDs:
- 4624: Successful logon
- 4625: Logon failure
- 4768: Kerberos Authentication (TGT Request)
- 4769: Kerberos Service Ticket (ST Request)
- 4776: NTLM Authentication
- 4672: Assign special privileges
Usage and audience
LogonTracer is commonly used for criminal investigations, digital forensics, or learning. Target users for this tool are forensic specialists, security professionals, and system administrators.
- Docker support
- Web interface
Tool review and remarks
The review and analysis of this project resulted in the following remarks for this security tool:
- + More than 500 contributors
- + The source code of this software is available
History and highlights
- Demo at Black Hat USA 2018 Arsenal
Supported operating systems
LogonTracer is known to work on Linux, macOS, and Microsoft Windows.
Several dependencies are required to use LogonTracer.
- Python 3
Similar tools to LogonTracer:
Bitscout is a security tool that allows professionals performing digital forensics remotely. The toolkit creates a live-cd for this purpose.
Digital Forensic Investigative Scripts, or dfis, is a collection of scripts that can be used during forensic investigations.
FIR is an incident response tool written in the Django framework. It provides a web interface to deal with the creation and management of security-related incidents.
This tool page was updated at . Found an improvement? Help the community by submitting an update.
Related tool information
This tool is categorized as a digital forensics tool.