Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs.

Published byJanel Griffith Modified over 9 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs

2 September 18, 2015 © Wiley Inc. 2007. All Rights Reserved 2 Chapter Topics: Windows IIS Logs Windows FTP Server Logs Windows DHCP Server Logs Windows XP Firewall Logs Microsoft Log Parser

3 Windows IIS Logs Microsoft web server is called Internet Information Services (IIS) Detailed logging enabled by default Most common & default format is WC3 Extended Log File Format Log timestamps are GMT Default location: %WinDir%\System32\Logfiles\W3SVC1\ Log per day in format exyymmdd.log, where yy=year, mm=month, & dd=day

4 Example of IIS Log Entry

5 Windows FTP Logs Microsoft FTP Server Detailed logging enabled by default Most common & default format is WC3 Extended Log File Format Log timestamps are GMT Default location: %WinDir%\System32\Logfiles\MSFTPSV C1\ Log per day in format exyymmdd.log, where yy=year, mm=month, & dd=day

6 Example of FTP Log Entry

7 Microsoft DHCP Server Logs Dynamic Host Configuration Protocol (DHCP) service in which IP address assigned dynamically upon request by host. Microsoft servers provide this services IP address loaned for a short period and thus which machine had which IP address is based on particular point in time. Logs record host to which IP was assigned Time is local system time zone!

8 Microsoft DHCP Server Logs Default location for log is: C:\%SystemRoot%\System32\DHCP\ Logs stored in one file per day basis Format of log file name is: DhcpSrvLog-XXX.log, where XXX=three letters of day of week, i.e. DhcpSrvLog-Sat.log Therefore, only 1 full week stored!

9 DHCP Log

10 Event ID Date Time (Local system time zone) Description / Action IP address assigned Host name to which IP assigned MAC address to which IP assigned

11 Windows Firewall Logs Firewall added to XP with SP 2 Firewall on by default Very good logging utility, however, is off by default Enabling is buried deep in user interface –Don’t expect to find it enabled often, except in domain settings with good administrator!

12 Windows Firewall Logs Default location of firewall logs is: %SystemRoot%\pfirewall.log Always look for it anyway

13 Windows Firewall Log Header

14 Windows Firewall Log Data

15 Microsoft Log Parser Free utility from Microsoft Truly a Swiss Army Knife forensic utility Processes nearly all forms of M/S logs, plus dozens of others Three components –Input engine –SQL query engine –Output engine

16 M/S Log Parser DATAGRID Output

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs."

Similar presentations

Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.
CSIT 320 (Blum) 1 DHCP. CSIT 320 (Blum) 2 Dynamic Host Configuration Protocol does not require an administrator to add an entry for a computer into the.

CSIT 320 (Blum) 1 DHCP. CSIT 320 (Blum) 2 Dynamic Host Configuration Protocol does not require an administrator to add an entry for a computer into the.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.

Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Nassau Community College

Nassau Community College
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
Domain Name System: DNS

Domain Name System: DNS
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.

Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.

Hands-On Microsoft Windows Server 2003 Networking Chapter 5 Dynamic Host Configuration Protocol.
IIS and PWS. What is IIS and PWS? Microsoft Internet Information Server (IIS) and Peer Web Services (PWS) enable Windows NT servers with the ability to.

IIS and PWS. What is IIS and PWS? Microsoft Internet Information Server (IIS) and Peer Web Services (PWS) enable Windows NT servers with the ability to.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
1 Module 13 Windows NT Networking Services. 2  Overview Installing Network Services Dynamic Host Configuration Protocol (DHCP) Windows Internet Name.

1 Module 13 Windows NT Networking Services. 2  Overview Installing Network Services Dynamic Host Configuration Protocol (DHCP) Windows Internet Name.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Similar presentations

Ads by Google