DNS logs can provide a wealth of information to an incident response investigation. Unfortunately, many organizations are not collecting DNS logs and do not have the operational capability to parse or analyze them. Additionally, Microsoft DNS logs, particularly those from Windows 2003–2008R2, are the ugly
stepsisters of the log world. (Let’s not pretend there aren’t DNS servers out there still riding on those platforms!) So how do we efficiently parse these logs into a format we can easily analyze, as well as provide some basic analysis functions that any responder can use?

Introducing DNSplice, a new tool to accurately parse Microsoft DNS logs for analysis in Excel (the OG of forensic analysis tools) or ingestion into other analysis platforms. Not only will DNSplice make sense of Microsoft DNS logs from Windows 2003 to 2016, but also allows you to apply your API key from various online threat engines to determine if a domain being requested is considered malicious. Additionally, DNSplice will provide base statistics
including client IPs with most requests, domains by least and most frequency, and more! This talk is based on a graduate research paper written for the SANS Technology Institute’s Master of Science in Information Security Engineering Program.

Shelly Giesbrecht (@nerdiosity), Team Lead, Incident Responder, Cisc