Event log horror

Which version of Windows are you working with here? How have you extracted the data, or are you looking at the logs manually?

I've exported the logs from my evidence using EnCase and am looking at them using Win 7 64bit (Event Viewer). The logs are from Win Vista. I may have figured part of my question out. I was not looking at all the data available (forgot to scroll down!) Now, in the general tab in Event Viewer under the Subject where the other users account name appears with the $ after it there is a section called New Logon with my target account name in it. This is event 4624. At the same exact time is another logon that states "a logon was attempted using explicit credentials". Event 4648..

Two seconds later I get a logoff for my target account, Event 4624

Thanks for any help. Who designs this stuff!!!

I see the event 4608 which indicates windows is starting up for a given day. I see several logon events but none are for my target account.

What kind of log are you looking at – client, DC, file server, … ? If DC, how many DCs are there in the domain?
(Added You say 'Windows Vista' … so you I presume you mean client logs)

However, the name of the other account being logged into seems odd, some times the account name has a $ right after it and the domain is either the account name, but plural or another -in this case SCHOOL, the $ appears after the account name when the domain is school.

'$' usually indicates machine-related accounts – they are not closely related to user logins.

After a few of these I find a logOFF event for the target account. Any idea why this is? How reliable are event logs? Any resources online I can start educating myself on them?

Logoff being exactly what event? User-initiated? Or just an end-of session that will be automatically renewed if the user tries to access the relevant resource again?

Try http// www . ultimatewindowssecurity . com for much more information – especially look over their description of windows logons of various types. I found their 'Windows Server 2003 Security Log Revealed' book very useful when I had to interpret event log records.

Most important is why am I not seeing my target logon.

Assuming client logs It occasionally happens that log entries do not show – probably lost somewhere. If the user never logs out, and there was no need for reboot, you can sometimes see logs that have been overwritten, so that the earliest entries are gone. Or … the login might be done by some special software, that doesn't log things the way you expect. (This is rare, though – usually Microsoft Windows software is involved, and that should log things correctly.)

On the off chance that you are referring to DC logs

The domain-related security logs that I know best are DC-related. In that case … if the domain has one PDC and one BDC, you need to look at both logs. (If you're looking at something post Windows 2003, though, I think there have been changes in this area, what with log replication and other stuff.) Your best bet is always to have a chat with whoever manages the domain, and knows how the DCs have been configured.

This is event 4624. At the same exact time is another logon that states "a logon was attempted using explicit credentials". Event 4648..

4624 … for interactive logons, you're probably only interested in event type 2, 7 and perhaps 10. Type 3 is about accessing shared folders … which might be interesting in some situations involving file access, not user log-in.

4648 … a bit more tricky to interpret, but usually means that the user did something special (RUNAS or running a program that needed admin rights, or … ) See http// www . ultimatewindowssecurity . com/securitylog/encyclopedia/event.aspx?eventid=4648 for details.

Windows does 'logons' all the time, and many are done automatically. The user need not even be present at the console.