Auditing Windows boot drives without booting into them

[mvillekid2005]

I have an odd scenario and need help figuring out a solution. I have 20 solid state drives that are given out to be put into a hotswap bay of a pc and boot off of. The issue is I have to audit these Windows drives weekly and have to put into my machine power up, audit, then shut down to put in the next drive. Rinse and Repeat. First question is, is there an enclosure that will take 2.5" drives already on sleds, power them, and connect via usb?
Second, I use a script to audit and I get I would have to edit the script, but can you even pull Windows Event Logs off of a Windows OS drive without booting to it? Any ideas on solutions to accomplish this?

 

[camieabz]

Remote event logging?

 

[Barty1884]

I don't know of an enclosure that'll take them already on sleds..... But a SATA to USB3.0 cable should do the trick, no?
https://www.amazon.ca/Sabrent-2-5-Inch-Adapter-Optimized-EC-SSHD/dp/B011M8YACM?th=1&psc=1&source=googleshopping&locale=en-CA&tag=googcana-20&ref=pd_sl_4shxd35m3t_e

Or you could just cannibalize a 2.5" external enclosure, removing the SATA connector from the enclosure and connect it to a drive on a sled directly?


IIRC, Event log files are just XMLs and, although Windows locks them down, the only aspect needed to 'open' them would be Windows running.... no necessarily from the same drive. So secondary storage via USB should be fine.

From memory, those files are stored in "C:\Windows\System32\" and something like "winevtlogs"