LSE toolsLSE toolsLogonTracer (188)LogonTracer (188)

Tool and Usage

Project details

Custom license
Programming language
Shusei Tomonaga
Latest release
Latest release date

Project health

This score is calculated by different factors, like project age, last release date, etc.

Why this tool?

LogonTracer is a tool to investigate malicious logins from Windows event logs with visualization capabilities.

How it works

LogonTracer uses a predefined set of events to find those related to the authentication process. Based on the interactions it shows a visualized representation of the event together with the related hosts. The web interface itself is powered by Flask with data stored in a Neo4j database. Visualization is done using Cytoscape.

Background information

Related Windows event IDs:

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

Usage and audience

LogonTracer is commonly used for criminal investigations, digital forensics, or learning. Target users for this tool are forensic specialists, security professionals, and system administrators.


  • Docker support
  • Web interface

Tool review and remarks

The review and analysis of this project resulted in the following remarks for this security tool:


  • + More than 500 contributors
  • + The source code of this software is available

History and highlights

  • Demo at Black Hat USA 2018 Arsenal

Author and Maintainers

LogonTracer is under development by Shusei Tomonaga.


Supported operating systems

LogonTracer is known to work on Linux, Microsoft Windows, and macOS.


Several dependencies are required to use LogonTracer.

  • Cytoscape
  • Flask
  • Neo4j
  • Neo4j JavaScript driver
  • Python 3

LogonTracer alternatives

Similar tools to LogonTracer:



Bitscout is a security tool that allows professionals performing digital forensics remotely. The toolkit creates a live-cd for this purpose.



FIR is an incident response tool written in the Django framework. It provides a web interface to deal with the creation and management of security-related incidents.


GRR Rapid Response

GRR is a security tool for live forensics on remote systems. It uses a client-server model to obtain information from the systems and store them centrally.

All LogonTracer alternatives

This tool page was updated at . Found an improvement? Help the community by submitting an update.

Related tool information


This tool is categorized as a digital forensics tool.

Related topics