The purpose of this research was to analyze Microsoft Windows event logs for artifacts that may be pertinent to an investigation. How are investigators using Windows event logs in forensic investigations? How do investigators approach the various types of breaches when collecting data from Windows event logs? What are the best practices to analyze Windows event logs? The world of Digital Forensics is expanding each day. There are many OSs available for use by professionals and casual users to choose from. In 2013 the three main OSs in use on nontablet computers are Windows, Linux and Mac OS. This research focuses on the Windows OS. The first version of Windows was Windows 1.0 which was released in 1985 (Microsoft, 2013). Since that time, there have been 8 major new Windows releases. Table 1 lists Windows OS and their release dates. Table 1 Windows OS Release Years Windows 1.0 1985 Windows 2.0 1987 Windows 3.0 1990 Windows 95 1995 Windows 98 1998 Windows XP 2001 Windows Vista 2006 Windows 7 2009 Windows 8 2012 Note. This table illustrates the various Window OS and when they were released by Microsoft. Mark Hackman (2013), a staff writer for PC World, reports that according to Net Applications’ NetMarketshare tracker in June 2013, about 44.37% of computers are using Windows 7 and another 5.1% are using Windows 8. The newest Windows OS update, Windows 2 8.1, was released to manufacturers on August 27, 2013 (Endler, 2013). Most businesses and home users choose Windows based systems over Macs due to the lower operational and training costs (Menga, 2008). These statistics indicate that over half of the computers currently used are Windows based systems. The amount of Windows based systems in use by businesses and home users gives criminals a broader range of computers to break into for any type of data theft. Home users typically do not keep their systems as secure as they should (Byrne, Howe, Ray, Roberts, & Urbanska, 2012). Programmers often design computer hacking techniques called \"hacks\" to test certain scenarios. Regardless of the purpose they were designed, organized cyber criminals who are computer savvy often employ these hacks for nefarious purposes. The criminals either buy a hack from the author or they find it on a hacking website (Jordan, 1998). Cyber criminals will break into home user systems in order to build a network to attack a corporate or government target (Wash, 2010). This intrusion and victimization of another\'s computer is called a Botnet. The number of Windows event logs has grown over the years. For instance, prior to Windows Vista, there were only three main logs in the event viewer, System, Security and Application. Today there are application specific logs and service logs as well in the main event viewer. There are an additional 100 plus log files, but this research focused on the main three, System, Security and Application. Windows event logs are used to help correlate and prove that certain actions occurred at .

1. The purpose of this research was to analyze Microsoft Windows event logs for artifacts that may
be pertinent to an investigation. How are investigators using Windows event logs in forensic
investigations? How do investigators approach the various types of breaches when collecting
data from Windows event logs? What are the best practices to analyze Windows event logs? The
world of Digital Forensics is expanding each day. There are many OSs available for use by
professionals and casual users to choose from. In 2013 the three main OSs in use on nontablet
computers are Windows, Linux and Mac OS. This research focuses on the Windows OS. The
first version of Windows was Windows 1.0 which was released in 1985 (Microsoft, 2013). Since
that time, there have been 8 major new Windows releases. Table 1 lists Windows OS and their
release dates. Table 1 Windows OS Release Years Windows 1.0 1985 Windows 2.0 1987
Windows 3.0 1990 Windows 95 1995 Windows 98 1998 Windows XP 2001 Windows Vista
2006 Windows 7 2009 Windows 8 2012 Note. This table illustrates the various Window OS and
when they were released by Microsoft. Mark Hackman (2013), a staff writer for PC World,
reports that according to Net Applications’ NetMarketshare tracker in June 2013, about 44.37%
of computers are using Windows 7 and another 5.1% are using Windows 8. The newest
Windows OS update, Windows 2 8.1, was released to manufacturers on August 27, 2013
(Endler, 2013). Most businesses and home users choose Windows based systems over Macs due
to the lower operational and training costs (Menga, 2008). These statistics indicate that over half
of the computers currently used are Windows based systems. The amount of Windows based
systems in use by businesses and home users gives criminals a broader range of computers to
break into for any type of data theft. Home users typically do not keep their systems as secure as
they should (Byrne, Howe, Ray, Roberts, & Urbanska, 2012). Programmers often design
computer hacking techniques called "hacks" to test certain scenarios. Regardless of the purpose
they were designed, organized cyber criminals who are computer savvy often employ these
hacks for nefarious purposes. The criminals either buy a hack from the author or they find it on a
hacking website (Jordan, 1998). Cyber criminals will break into home user systems in order to
build a network to attack a corporate or government target (Wash, 2010). This intrusion and
victimization of another's computer is called a Botnet. The number of Windows event logs has
grown over the years. For instance, prior to Windows Vista, there were only three main logs in
the event viewer, System, Security and Application. Today there are application specific logs and
service logs as well in the main event viewer. There are an additional 100 plus log files, but this
research focused on the main three, System, Security and Application. Windows event logs are
used to help correlate and prove that certain actions occurred at certain times and by specific
individuals, groups or IP addresses. For instance, Windows Security event logs can be analyzed
to help determine how many failed logon attempts occurred in a particular time period. It can

2. also be used to identify who logged in by examining the Event ID 4624 (Smith, 2013). Cyber
attackers use event logs nefariously to determine what is running on a 3 targeted network so they
can take advantage of known threats that have not been patched (Stuttard, 2008). This research
discusses the importance of specific logs when providing facts to an investigator. When
discussing how event logs will be used during an investigation, it is important to differentiate
between the various types of analysis and forensic practices. Different logs and methods of
collection are necessary depending on the type of investigation or attack defense. Investigators
will perform either a traditional or live analysis of the data stored within a computer or on a
network. The purpose for the collection of the targeted data usually dictates which type of
analysis should be performed. Today, it is expected to be a hybrid of both because some
important computer processes and data are stored in volatile memory, such as RAM. RAM
requires continuous power and will fade away as soon as the system is shutdown. Therefore, it
cannot be collected once systems are shut down (Cummings, 2008). There are three main types
of analysis, traditional, live, and network. Traditional, or dead-box analysis, includes shutting
down the computer and removing the hard drive or other media from the computer for analysis
with another machine (Amari, 2009). Live analysis refers to the capturing of data while the
computer is still running. A live analysis targets data on the hard drives and attached media,
artifacts of the operating system (OS), processes and data stored in volatile memory, and network
traffic coming in or going out of the computer (Amari, 2009). Investigators often concentrate on
the type of data stored in RAM. Since RAM memory is volatile and must be analyzed or
captured while the machine is operating, a live analysis is required. RAM is where processes run
and significant data that is not stored elsewhere may be collected.
Solution
The purpose of this research was to analyze Microsoft Windows event logs for artifacts that may
be pertinent to an investigation. How are investigators using Windows event logs in forensic
investigations? How do investigators approach the various types of breaches when collecting
data from Windows event logs? What are the best practices to analyze Windows event logs? The
world of Digital Forensics is expanding each day. There are many OSs available for use by
professionals and casual users to choose from. In 2013 the three main OSs in use on nontablet
computers are Windows, Linux and Mac OS. This research focuses on the Windows OS. The
first version of Windows was Windows 1.0 which was released in 1985 (Microsoft, 2013). Since
that time, there have been 8 major new Windows releases. Table 1 lists Windows OS and their
release dates. Table 1 Windows OS Release Years Windows 1.0 1985 Windows 2.0 1987
Windows 3.0 1990 Windows 95 1995 Windows 98 1998 Windows XP 2001 Windows Vista

3. 2006 Windows 7 2009 Windows 8 2012 Note. This table illustrates the various Window OS and
when they were released by Microsoft. Mark Hackman (2013), a staff writer for PC World,
reports that according to Net Applications’ NetMarketshare tracker in June 2013, about 44.37%
of computers are using Windows 7 and another 5.1% are using Windows 8. The newest
Windows OS update, Windows 2 8.1, was released to manufacturers on August 27, 2013
(Endler, 2013). Most businesses and home users choose Windows based systems over Macs due
to the lower operational and training costs (Menga, 2008). These statistics indicate that over half
of the computers currently used are Windows based systems. The amount of Windows based
systems in use by businesses and home users gives criminals a broader range of computers to
break into for any type of data theft. Home users typically do not keep their systems as secure as
they should (Byrne, Howe, Ray, Roberts, & Urbanska, 2012). Programmers often design
computer hacking techniques called "hacks" to test certain scenarios. Regardless of the purpose
they were designed, organized cyber criminals who are computer savvy often employ these
hacks for nefarious purposes. The criminals either buy a hack from the author or they find it on a
hacking website (Jordan, 1998). Cyber criminals will break into home user systems in order to
build a network to attack a corporate or government target (Wash, 2010). This intrusion and
victimization of another's computer is called a Botnet. The number of Windows event logs has
grown over the years. For instance, prior to Windows Vista, there were only three main logs in
the event viewer, System, Security and Application. Today there are application specific logs and
service logs as well in the main event viewer. There are an additional 100 plus log files, but this
research focused on the main three, System, Security and Application. Windows event logs are
used to help correlate and prove that certain actions occurred at certain times and by specific
individuals, groups or IP addresses. For instance, Windows Security event logs can be analyzed
to help determine how many failed logon attempts occurred in a particular time period. It can
also be used to identify who logged in by examining the Event ID 4624 (Smith, 2013). Cyber
attackers use event logs nefariously to determine what is running on a 3 targeted network so they
can take advantage of known threats that have not been patched (Stuttard, 2008). This research
discusses the importance of specific logs when providing facts to an investigator. When
discussing how event logs will be used during an investigation, it is important to differentiate
between the various types of analysis and forensic practices. Different logs and methods of
collection are necessary depending on the type of investigation or attack defense. Investigators
will perform either a traditional or live analysis of the data stored within a computer or on a
network. The purpose for the collection of the targeted data usually dictates which type of
analysis should be performed. Today, it is expected to be a hybrid of both because some
important computer processes and data are stored in volatile memory, such as RAM. RAM
requires continuous power and will fade away as soon as the system is shutdown. Therefore, it

4. cannot be collected once systems are shut down (Cummings, 2008). There are three main types
of analysis, traditional, live, and network. Traditional, or dead-box analysis, includes shutting
down the computer and removing the hard drive or other media from the computer for analysis
with another machine (Amari, 2009). Live analysis refers to the capturing of data while the
computer is still running. A live analysis targets data on the hard drives and attached media,
artifacts of the operating system (OS), processes and data stored in volatile memory, and network
traffic coming in or going out of the computer (Amari, 2009). Investigators often concentrate on
the type of data stored in RAM. Since RAM memory is volatile and must be analyzed or
captured while the machine is operating, a live analysis is required. RAM is where processes run
and significant data that is not stored elsewhere may be collected.