![]() And so for the sake of time and presenting, we’re going to focus on these three. These are the login, successful log offs, shut downs, restarts, those sorts of things. So we’re going to look at these three specifically, we’re going to kind of focus in on that, but there are other event IDs that are associated with log on. So on and so forth, all through the thing. Plug in a USB drive, there’s an event for that. Now, the various events within the event log are broken down by IDs, and this is not just for log on, log off, this is for everything. Within there, specifically, we’re going to narrow even further down, we’re going to look at some of the log on, log off, boot, shutdown event IDs. There’s various logs, as you saw in that directory, there’s a bunch of them. ![]() So again, we’re going to take a look at that, and those logs are held in the security.evtx event logs. But, you know, the relevant ones, in a second.īut you can get those… so even if you’re not using forensic tools, or that sort of stuff, if you’re just going through it yourself, and we’ll look at how we can do that as forensically as possible even without tools, we can take a look at it. And we’ll look at these logs here in a second. And you can actually see them when it’s booted up, that’s why we have this little image here, if we exit out of the slide deck real quick, we can open up Explorer, go to the C drive, Windows, system 32, way down here at the bottom, and then we can scan down - there’s a lot of stuff in here - and then we can see the Windows event, and then logs in here. And within this directory are going to be a bunch of different logs. ![]() So first off, the Windows event logs are stored on the C drive of the Windows operating system, OK? So Windows, system 32, Winevent or WinEVT logs. And so we can see application activity, hardware activity, but what we’re going to talk about specifically here is the log on log off in the boot and shutdown records that are stored in these logs. So first off, when we’re running an investigation, or a matter, whatever we’re going to call it, we’re typically looking at the activities of people and their behaviours, so we want to establish what happened, when it happened, what were they doing, did they do anything? And so one place we can see a lot of that, that naturally logs a lot of that information chronologically is the Windows event logs. We’ll have a little bit of slides, not much, because we’re going to just get in and look at the different stuff, we don’t have to rely on slides. So we’re going to use a bunch of different things here to take a look at that information. I’m Justin Tolman, I am the Director of Training for AccessData, and today, for the next little bit, we’ll be talking about Windows event logs, and specifically the login information associated with Windows event logs and how we can timeline those and kind of get a chronology for those. And this is a recorded video, so just kind of, welcome, whenever you’re watching this. To avoid storing logs indefinitely, deleteĪ retention period after which logs are deleted automatically.Justin: Alright. Log groups aren't deleted automatically when you delete a function.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |