Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
This slide introduces various kinds of basic steganography techniques.
Also, the tools that could be useful for CTF(Capture the Flag) stegano challenges are listed
Current Forensic tools: evaluating computer forensic tool needs, computer forensics software tools, computer forensics hardware tools, validating and testing forensics software E-Mail Investigations: Exploring the role of e-mail in investigation, exploring the roles of the client and server in e-mail, investigating e-mail crimes and violations, understanding e-mail servers, using specialized e-mail forensic tools. Cell phone and mobile device forensics: Understanding mobile device forensics, understanding acquisition procedures for cell phones and mobile devices
This slide introduces various kinds of basic steganography techniques.
Also, the tools that could be useful for CTF(Capture the Flag) stegano challenges are listed
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Learning Objectives:
1. Understand how this unique, emergent form of evidence can be used for criminal investigations and civil litigation e-discovery.
2. Discover the DoJ memo to law enforcement uncovered by FOIA stressing why and how to use social media in criminal cases.
3. See social media evidence recovered from smart phones, personal computers, and the cloud.
4. Learn the ethics of social media evidence collection including what you can and cannot do, if you want to keep your license that is.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Learning Objectives:
1. Understand how this unique, emergent form of evidence can be used for criminal investigations and civil litigation e-discovery.
2. Discover the DoJ memo to law enforcement uncovered by FOIA stressing why and how to use social media in criminal cases.
3. See social media evidence recovered from smart phones, personal computers, and the cloud.
4. Learn the ethics of social media evidence collection including what you can and cannot do, if you want to keep your license that is.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.
A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches
This PDF is of a Nearpod presentation about evaluating websites' trustworthiness which you can view in its entirety at http://npps.co/internetsleuthpdf. It will give you a glimpse of what you can expect from Nearpod and its capabilities to enhance your classroom experience. Via this presentation, your students will become internet sleuths by evaluating websites' trustworthiness and credibility, and distinguishing fact from fiction online. ELA. Elementary School. Age: 8+
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
With 1.2 billion monthly active users on Facebook alone, it’s not surprising that social media networks can be a rich source of information for investigators. And because Americans spend more time on social media than any other major Internet activity, including email, social media information and evidence is plentiful. You just need to know how to get it.
Finding, preserving and collecting social media evidence often requires some forensic skills, as well as an understanding of the laws that govern its collection and use. It’s important for investigators to be aware of both the possibilities and limitations of social media forensics.
A quick overview of MangeEngine EventLog Analyzer, the most cost-effective Log Management, Compliance Reporting software for Security Information and Event Management (SIEM). Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, searching, reporting, and archiving from one central location. This event log analyzer software helps to mitigate security threats, archive data for conducting log forensics analysis, root cause analysis & more at http://www.manageengine.com/products/eventlog/
Threat Hunting with Windows Event Forwarding & MITRE ATT&CK Framework
In this talk, you will gain an overview of using Windows Event Forwarding (WEF) for incident detection, with configuration and management workflows guidance. The talk will also provide an introduction to the MITRE ATT&CK Framework.
This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
This project is broken up into Windows and Mac versions lis.pdfableelectronics
This project is broken up into Windows and Mac versions (listed below). Security and privacy
should never be an afterthought when developing secure software. A formal process must be in
place to ensure they're considered at all points of the product's lifecycle. Microsoft's Security
Development Lifecycle (SDL) embeds comprehensive security requirements, technology-specific
tooling, and mandatory processes into the development and operation of all software products. All
development teams at Microsoft must adhere to the SDL processes and requirements, resulting in
more secure software with fewer and less severe vulnerabilities at a reduced development cost.
Office 365 isolation controls Microsoft continuously works to ensure that the multi-tenant
architecture of Microsoft 365 supports enterprise-level security, confidentiality, privacy, integrity,
and local, international, and availability standards. The scale and the scope of services provided
by Microsoft make it difficult and non-economical to manage Microsoft 365 with significant human
interaction. Microsoft 365 services are provided through globally distributed data centers, each
highly automated with few operations requiring a human touch or any access to customer content.
Microsoft 365 is composed of multiple services that provide important business functionality and
contribute to the entire Microsoft 365 experience. Each of these services is self-contained and
designed to integrate with one another. Microsoft 365 is designed with the following principles: -
Service-oriented architecture: designing and developing software in the form of interoperable
services providing well-defined business functionality. - Operational security assurance: a
framework that incorporates the knowledge gained through various capabilities that are unique to
Microsoft, including the Microsoft Security Development Lifecycle, the Microsoft Security
Response Center, and deep awareness of the cybersecurity threat landscape. How do Microsoft
online services employ audit logging? Microsoft online services employ audit logging to detect
unauthorized activities and provide accountability for Microsoft personnel. Audit logs capture
details about system configuration changes and access events, with details to identify who was
responsible for the activity, when and where the activity took place, and what the outcome of the
activity was. Automated log analysis supports near real-time detection of suspicious behavior.
Potential incidents are escalated to the appropriate Microsoft security response team for further
investigation. Microsoft online services internal audit logging captures log data from various
sources, such as: Event logs AppLocker logs Performance data System Center data Call detail
records Quality of experience data IIS Web Server logs SQL Server logs Syslog data Security
audit logs Windows Users - the Windows version requires Windows (7/10/11) operating
environment. 1. Your task is to examine your Windows .
Note This project is broken up into Windows and Mac version.pdfsagaraccura
Note: This project is broken up into Windows and Mac versions (listed below).
Security and privacy should never be an afterthought when developing secure software. A formal
process must be in place to ensure they're considered at all points of the product's lifecycle.
Microsoft's Security Development Lifecycle (SDL) embeds comprehensive security requirements,
technology specific tooling, and mandatory processes into the development and operation of all
software products. All development teams at Microsoft must adhere to the SDL processes and
requirements, resulting in more secure software with fewer and less severe vulnerabilities at a
reduced development cost.
Office 365 isolation controls
Microsoft continuously works to ensure that the multi-tenant architecture of Microsoft 365 supports
enterprise-level security, confidentiality, privacy, integrity, local, international, and availability
standards. The scale and the scope of services provided by Microsoft make it difficult and non-
economical to manage Microsoft 365 with significant human interaction. Microsoft 365 services are
provided through globally distributed data centers, each highly automated with few operations
requiring a human touch or any access to customer content.
Microsoft 365 is composed of multiple services that provide important business functionality and
contribute to the entire Microsoft 365 experience. Each of these services is self-contained and
designed to integrate with one another. Microsoft 365 is designed with the following principles:
- Service-oriented architecture: designing and developing software in the form of interoperable
services providing well-defined business functionality.
- Operational security assurance: a framework that incorporates the knowledge gained through
various capabilities that are unique to Microsoft, including the Microsoft Security Development
Lifecycle, the Microsoft Security Response Center, and deep awareness of the cybersecurity
threat landscape.
How do Microsoft online services employ audit logging?
Microsoft online services employ audit logging to detect unauthorized activities and provide
accountability for Microsoft personnel. Audit logs capture details about system configuration
changes and access events, with details to identify who was responsible for the activity, when and
where the activity took place, and what the outcome of the activity was. Automated log analysis
supports near real-time detection of suspicious behavior. Potential incidents are escalated to the
appropriate Microsoft security response team for further investigation.
Microsoft online services internal audit logging captures log data from various sources, such as:
Event logs
AppLocker logs
Performance data
System Center data
Call detail records
Quality of experience data
IIS Web Server logs
SQL Server logs
Syslog data
Security audit logs
Windows Users - the Windows version requires Windows (7/10/11) operating environment.
1. Your task is to examine your Windo.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Windows 7 forensics event logs-dtl-r3
1. Digital Forensics and Windows 7
Event Logs
Troy Larson
Principal Forensics Program Manager
TWC Network Security Investigations
NSINV-R3– Research|Readiness|Response
2. Introduction
Vista/Windows 7 Event
Logging:
• New format *.evtx.
• More, many more,
event log files.
• New system for
collecting and displaying
events.
• New security event
numbering.
3. Windows Event Logs
Before Vista—Event Log. Vista to present—Windows Event
• The big three: Log.
– System. • The big three:
– Security. – System.
– Application. – Security.
• Binary file, .evt. – Application.
• WindowsSystem32config – Plus 100+ more event log files.
– Binary/xml format—.evtx.*
• Documented and well known.
• C:WindowsSystem32winevt
Logs
• New, documentation growing.
http://msdn.microsoft.com/en- http://msdn.microsoft.com/en-
us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx
*http://computer.forensikblog.de/en/topics/windows/vista_event_log/
6. Windows Event Logs
An event log is more than its .evtx file.
• The log displayed in the Event Viewer is a compilation of an .evtx
file and components of one or more message DLLs.
• The Registry links the .evtx to its message DLLs, which together
create the complete event log presented by the Event Viewer.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
7. From *.evtx to Event Log
Registry:
HKLMSYSTEMControlSet001serviceseventlog
*.evtx file MessageFile.dll
Event Viewer
8. Windows Event Logs
• Impact on forensics?
– Information in an event log often depends on message
DLLs.
– To get the message information, one must have the
message DLLs available at the time the logs are-
• Collected; or
• Read.
– Security events generally consistent within same
versions of Windows (message DLLs the same).
– Application logs pose the biggest risk of incompatible
or missing message information—as message DLLs
depend on the installed applications.
9. Windows Event Logs
• Solutions:
– Collect logs live, before shutting down a system.
• For Example:
– >psloglist.exe -s -x Application > AppEvent.csv
– >psloglist.exe -s -x System > SysEvent.csv
– >psloglist.exe -s -x Security > SecEvent.csv
– Rebuild registry references to message DLLs on
the analysis workstation.
• Generally, not necessary unless there are recorded
events that are important and need to be resolved with
their corresponding message DLLs.
10. Windows Event Logs
• Configuring the analyst workstation for
reviewing event logs:
– Identify the missing message DLLs.
• Specified by the registry key for the component with
the incomplete event record.
– Copy message DLLs to analyst work station.
– Add registry keys for component to specify
location of the message DLLs.
11. Windows Event Logs
• Identify missing message DLLs.
– Review system registry hive file of the system from
which the event log file was taken.
12. Windows Event Logs
• Extract the message DLL(s) from the source
system and copy to the analyst’s workstation.
– New location or recreate original path.
13. Windows Event Logs
• Recreate the registry serviceseventlog key(s) and values on
the analyst’s workstation so that they point to the copied
message DLL(s). Include all original values.
HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator
• The Event Viewer should now pull in the expected message
DLL information when the event log is viewed.
14. Windows Event Logs
• Event logs in forensic examinations:
– Rarely a primary source of information.
• Noisy.
• Significant events often only stand out when there are dates,
times, or other items to bring focus to an event.
– Security events are often not significant.
• Dependent on the security audit settings.
– Often evidence of compromise is found in the System
and Application event logs or one of the new,
narrowly focused logs.
• System or application crashes.
• Errors, warnings, information.
25. Windows Event Logs
• System Events.
– Logged by Windows and Windows system services,
and are classified as error, warning, or information.
– Typical interesting events:
• Time Change.
• Startup and shutdown.
• Services startup, shutdown, failures.
• Startups should be logged, but crashes or errors could
prevent logging of shutdown or termination events.
http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
29. Windows Event Logs
• Application events.
– Program Events are classified as error, warning, or information, depending on
the severity of the event. An error is a significant problem, such as loss of
data. A warning is an event that isn't necessarily significant, but might indicate
a possible future problem. An information event describes the successful
operation of a program, driver, or service.
– Typical interesting events would be those relating to programs that could be
relevant to an investigation.
• Application errors.
– E.g., BackupExec agent attack.
– Antivirus or malware detection events.
• Combined with System events, Application events can show that symptoms of suspected
intrusions or compromises could have been long standing system problems.
– Note: application logging is controlled by the applications—so events are
defined by the application developers.
– Not all application generate events.
32. Windows Event Logs
• Security events.
– These events are called audits and are described as successful or failed
depending on the event, such as whether a user trying to log on to
Windows was successful.
– Depend on audit policy.
– Noisy.
– Completely different Security event IDs from all versions before Vista.
– General Tip: Translate pre-Vista Event ID numbers to the new Vista
event ID numbers by adding 4096.
– There are a number of new security events.
– Typical events of interest:
• Account logon and logoff.
• Failed logon attempts.
• Account escalation.
• Process execution.
38. Windows Event Logs
Further Information:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
http://blogs.msdn.com/b/ericfitz/
48. Windows Event Logs
• Emphasis: Usually on Security Events, but other event logs may have more to offer.
• Event log are not typically the primary evidence.
– Often too noisy.
• Best used when other facts fix times, or implicate specific accounts or computers.
• Often, most useful in a timeline with other items of significance.
