Hello,
Does anyone know of any good articles or sites that reference using the native Windows Event logging in forensic investigations? I am just looking to see the many different and creative ways analysts use Windows logging to find intrusions or find different kinds of evidence.
Thanks,
"Windows Forensic Analysis"???
Thanks,
Read the book, great book, but looking for more on this particular subject.
Thanks,
Anything in particular?
Hello,
What I am looking for is an article, paper or story on how an investigator answered forensic questions or helped put the pieces of a puzzle together using Windows Event logging, for examle, timeline analysis showed file activity through medial analysis and that was also paired with five unsuccessful logins and then one successful login from a user who has not logged into this system in 4 months etc etc. I know that is a generic version. Basically I am just looking for see the many different and creative ways analysts use Windows logging to find intrusions or find different kinds of evidence. I am not looking for a technical paper on tools to do the analysis or how to set up the logging, but more how it has helped others in investigations. Trying to show the different creative ways that people can use it.
Thanks
Jake,
Sounds like you've kind of described those yourself already. 😉
I think that part of the reason why you're not getting many responses is that, at least from my perspective, I rarely get anything useful from the Event Log. Generally, the first thing I start with is getting the audit configuration from the Registry…that gives me an idea of what to expect. I generally start with this because I've heard of examiners who say that they're "doing analysis of the Event Log", but they are very none specific…hoping to find something, rather than specifically looking for something.
From there, I run a tool I wrote called evtrpt.exe…it parses through an EVT file and tells me the date range of all of the entries, as well as the distribution of events IDs and sources. I can see right away if I'm going to see any records associated with logins, etc. From the Registry and evtrpt output, I know what I can expect to find, and can narrow things down and look for exactly what I need.
However, like I mentioned…I rarely find anything useful in the Event Log…but that doesn't mean that I stop looking (it's part of my own SOP). I've had everything from no logging enabled to some logging enabled at such a sensitive level that its all noise.
I know that's not what you're looking for, but I do hope that someone else is able to provide you with what you're looking for. You may find something interesting in some of the older posts here
http//
h