Scribd
Upload
281 views2 pages

Windows Event Log Analysis Guide

The document discusses using event logs for forensic analysis on Windows systems. It describes the Event Viewer tool which allows viewing and analyzing event logs locally or remotely. Event IDs uniquely identify system events that can be used for auditing and diagnosing problems. The document recommends combining log entries from multiple sources and using statistical analysis to find correlations. It also provides links about using event logs for forensics investigations. Examples of security-related event IDs include successful/failed logins and new user account creations. The document instructs to take screenshots of logon, logoff, and blank password query events from the Event Viewer tool. It also introduces the Event Log Explorer third-party tool with forensic analysis features and instructs to take

Uploaded by

ABC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
281 views2 pages

Windows Event Log Analysis Guide

The document discusses using event logs for forensic analysis on Windows systems. It describes the Event Viewer tool which allows viewing and analyzing event logs locally or remotely. Event IDs uniquely identify system events that can be used for auditing and diagnosing problems. The document recommends combining log entries from multiple sources and using statistical analysis to find correlations. It also provides links about using event logs for forensics investigations. Examples of security-related event IDs include successful/failed logins and new user account creations. The document instructs to take screenshots of logon, logoff, and blank password query events from the Event Viewer tool. It also introduces the Event Log Explorer third-party tool with forensic analysis features and instructs to take

Uploaded by

ABC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Exercise 3

24/08/2021

Event log analysis

1) Event Viewer

It is an important component of Microsoft’s Windows family of operating systems. It lets


administrators and users view event logs on a local or remote machine. Applications and
operating-system components can use this centralized log service to report events that
have taken place, such as a failure to start a component or to complete an action. Event
Viewer uses event IDs to define the uniquely identifiable events that a Windows
computer can encounter. Event logs record events taking place in the execution of a
system in order to provide an audit trail that can be used to understand the activity of the
system and to diagnose problems. It is often useful to combine log file entries from
several sources. This approach, in combination with statistical analysis, may yield
correlations between seemingly unrelated events on different servers. Other solutions
employ network-wide querying and reporting. Windows Event Logs can potentially be
used by a forensic examiner to show what a user has done on a computer. They can be
used to assist in answering the question “could this happen?”

Refer the following links for more details about the use of event logs for forensics

https://en.wikipedia.org/wiki/Event_Viewer

https://www.blackbagtech.com/blog/2017/01/27/leveraging-windows-event-logs-in-exam
inations/

https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/

https://medium.com/@lucideus/introduction-to-event-log-analysis-part-1-windows-forens
ics-manual-2018-b936a1a35d8a

https://medium.com/@lucideus/event-log-analysis-part-2-windows-forensics-manual-201
8-75710851e323

Event ids are generated for events useful in forensic investigation. Examples include

a) Successful logon

b) Failed login

c) A new user account was created


Use the Event Viewer tool in a Microsoft Windows computer and take screenshots of
THREE security related events such as

(i) Logon

(ii) Logoff

(iii) Attempt made to query the existence of a blank password for an account

2) The Event Log Explorer tool

This tool can be got from https://eventlogxp.com it is available for free for personal
non-commercial use. It is also available for commercial use. It is an extension of the
Microsoft Event Viewer tool. It has many features helpful in forensic analysis.
https://eventlogxp.com/event-log-forensic.html

Download this tool on a Windows computer and take screenshots of two security related
events such as those listed in the previous exercise.

You might also like