Windows Event Logs record evidence of many significant types of activity, including when a machine was booted or shut down, when users logged in and out and from where, device insertions, network connections and so much more. But knowing how to efficiently find this evidence is complicated by several factors. Investigators need to sort through a multitude of types of events recorded, inconsistent Event ID numbers across Windows versions and multiple file formats. The fact that there can easily be hundreds of thousands of records on even lightly used machines can make analyzing Event Logs a daunting task. All these factors can present a significant barrier for investigators to use Event Logs to their fullest potential.
Join our Senior Digital Forensics Researcher, Dr. Vico Marziale, as he walks you through the tools you need to quickly and easily get to the important information that can add an abundance of context to your case.
During this webinar, Vico will cover:
- History and background of Event Logs on Windows
- Types of case-related activity Event Logs can speak directly to
- How to find the important information in the sea of log entries
- How to build activity timelines of important system events using just the Event Logs
Dr. Vico Marziale: Ph.D., Senior Digital Forensics Researcher at Cellebrite
Vico is a Senior Digital Forensics Researcher here at Cellebrite where he is responsible for R&D supporting all our software offerings. He holds a PhD in digital forensics, and over the years has done forensics and general cybersecurity work, written open source tools, and delivered presentations and trainings at numerous venues across the US and internationally. Vico has led many key research initiatives, including research on FSevents, Spotlight artifacts, and Windows forensic artifacts