html5-img
1 / 15

Chapter 12: Windows Event Logs

Chapter 12: Windows Event Logs. Mastering Windows Network Forensics and Investigation. Chapter Topics:. Event Log Storage Using Event Viewer Efficient Event Log Parsing. Event Log Storage. Stored in proprietary, binary format Not editable/viewable with standard text editor

tevy
Télécharger la présentation

Chapter 12: Windows Event Logs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 12: Windows Event Logs Mastering Windows Network Forensics and Investigation

  2. Chapter Topics: • Event Log Storage • Using Event Viewer • Efficient Event Log Parsing

  3. Event Log Storage • Stored in proprietary, binary format • Not editable/viewable with standard text editor • Files end in .evt or .evtx depending on Operating System

  4. Event Log Storage • Windows 2000/XP: .evt • Windows Vista +: .evtx • Files such as: • System.evtx • Application.evtx • Security.evtx

  5. Event Log Storage • EVT format event Logs stored in: %SystemRoot%\System32\config folder along with the registry hive files • EVTX format event Logs stored in: %SystemRoot%\System32\winevt\Logs folder

  6. Event Log Storage • Application Log – Written to by any application • System Log – Stores events related to system operation and maintenance • Security Log – Security related events • Many other log files can be found from Windows Vista and beyond, but these are ones of primary importance

  7. Event Viewer • Microsoft provided tool for reading .evt/.evtx files • GUI based • Menus are context sensitive, changing based on part of Event Viewer that is in focus • Layout is different between Windows XP and Vista+

  8. Event Viewer – Windows XP

  9. Event Viewer – Windows XP • Double clicking on a log entry brings up its properties, revealing the detailed description

  10. Event Viewer – Windows Vista+

  11. Event Viewer – Windows Vista+ • Double clicking on a log entry brings up its properties, revealing the detailed description

  12. Event Log Parsing • Learning to efficiently parse event logs is vital • Focus on Event IDs, the numbers given to particular events that indicate what is being recorded • Use the Filter feature to focus your search, and use Find to search within the filtered results

  13. Event Log Parsing • Filter can reduce your view based on event type, Event ID, date and time range, etc. • Find can search within the Description field and will search forward or backward for the next occurrence of a particular string

  14. Event Log Parsing • If your analysis system is connected to the Internet, the built in Help and Support Center link on the Properties page of each Event entry will provide additional information about most Event Log entries and their meaning.

  15. Event Log Parsing • There are many (better?) log parsers that are available for low/no cost • If there is a large volume of logs to review consider tools such as Splunk for initial processing

More Related