Skip to content

dfirvault/Hayabusa-scanner-menu

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
hayabusa-scanner-menu.py
hayabusa-scanner-menu.py
 
 

Repository files navigation

Hayabusa Event Log Scanner Menu

image

WindowsSandboxRemoteSession_3dOWevfA7m

Version: 1.2 (Includes HTML Report Support)
Author: DFIRVault

This Python script is a Windows-friendly wrapper for the Hayabusa event log timeline tool.
It provides a simple, menu-driven interface to scan folders or mounted forensic images containing .evtx files, then generates CSV timelines and HTML reports for digital forensic and incident response (DFIR) work.

✨ Features

  • GUI Folder/File Selection
    Uses a simple Tkinter interface to pick Hayabusa's executable, EVTX folders, and output locations.
  • CSV + HTML Output
    Automatically generates both a machine-readable CSV timeline and a human-readable HTML report.
  • Case-Based Naming
    Outputs files with the format: 
    YYYYMMDD-FolderName-CaseName-results.csv
YYYYMMDD-FolderName-CaseName-report.html
YYYYMMDD-FolderName-CaseName-log.txt
  • Subfolder Search
    Optionally scans subdirectories to find EVTX files if not in the main folder.
  • Forensic Image Support
    Can scan mounted images or point directly to standard Windows log locations.
  • Portable
    No installation needed — run directly from Python.

📦 Requirements

🚀 Installation

  1. Clone this repository:

    git clone https://github.com/dfirvault/hayabusa-log-tool.git
cd hayabusa-log-tool

  2. Install Python dependencies:

    pip install pywin32

  3. Download Hayabusa and place hayabusa.exe in:

    • C:\Tools\Hayabusa\hayabusa.exe, or
    • The same directory as this script.

🖥️ Usage

Run the script with Python:

python hayabusa_tool.py

Menu Options:

[1] Scan a folder or mounted image containing EVTX files
[0] Exit

📂 Example Workflow

  1. Start the script.
  2. Select the location of hayabusa.exe (first run only).
  3. Choose [1] to scan EVTX files.
  4. Select a folder containing .evtx files (or let the tool search subfolders).
  5. Choose an output location for reports.
  6. Enter a case name (e.g., MAL2024-001).
  7. Wait for Hayabusa to complete — results will open automatically in Windows Explorer.

📄 Example Output

CSV Timeline:

20240815-WorkstationLogs-MAL2024-001-results.csv

HTML Report:

20240815-WorkstationLogs-MAL2024-001-report.html

Log File:

20240815-WorkstationLogs-MAL2024-001-log.txt

⚠️ Notes & Tips

  • Run as Admin: Some log locations may require elevated privileges. Uncomment the is_admin() section in main() if you want automatic UAC prompts.
  • Forensic Image Support: Mount the image and point the tool to the mounted drive’s Windows\System32\winevt\Logs folder.
  • Performance: Hayabusa scan time depends on the number and size of EVTX files.

📜 License

This script is released under the MIT License.
Hayabusa is maintained by Yamato Security and follows its own licensing terms.

🔗 References

About

Menu-based scanner for Hayabusa intended for scanning mounted images and folders with EVTX files.

dfirvault.com

Topics

dfir threat-hunting windows-event-logs detection-engineering sigma-rules hayabusa dfirvault

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages