Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Similar presentations


Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs

2 Chapter Topics: Event Log Storage Using Event Viewer Efficient Event Log Parsing

3 Event Log Storage Stored in proprietary, binary format Not editable/viewable with standard text editor Files end in.evt or.evtx depending on Operating System

4 Event Log Storage Windows 2000/XP:.evt Windows Vista +:.evtx Files such as: –System.evtx –Application.evtx –Security.evtx

5 Event Log Storage EVT format event Logs stored in: %SystemRoot%\System32\config folder along with the registry hive files EVTX format event Logs stored in: %SystemRoot%\System32\winevt\L ogs folder

6 Event Log Storage Application Log – Written to by any application System Log – Stores events related to system operation and maintenance Security Log – Security related events Many other log files can be found from Windows Vista and beyond, but these are ones of primary importance

7 Event Viewer Microsoft provided tool for reading.evt/.evtx files GUI based Menus are context sensitive, changing based on part of Event Viewer that is in focus Layout is different between Windows XP and Vista+

8 Event Viewer – Windows XP

9 Double clicking on a log entry brings up its properties, revealing the detailed description

10 Event Viewer – Windows Vista+

11 Double clicking on a log entry brings up its properties, revealing the detailed description

12 Event Log Parsing Learning to efficiently parse event logs is vital Focus on Event IDs, the numbers given to particular events that indicate what is being recorded Use the Filter feature to focus your search, and use Find to search within the filtered results

13 Event Log Parsing Filter can reduce your view based on event type, Event ID, date and time range, etc. Find can search within the Description field and will search forward or backward for the next occurrence of a particular string

14 Event Log Parsing If your analysis system is connected to the Internet, the built in Help and Support Center link on the Properties page of each Event entry will provide additional information about most Event Log entries and their meaning.

15 Event Log Parsing There are many (better?) log parsers that are available for low/no cost If there is a large volume of logs to review consider tools such as Splunk for initial processing


Download ppt "Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs."

Similar presentations


Ads by Google