Windows Event Logs

Windows event logs are the gold standard when it comes to forensic and incident response investigations as they contain vast records of activity on a system. Event logs are split into three categories; application, security and system. Some of the key event log artifacts we we commonly analysed during a forensic investigation include:

  • Authentication Events
  • Logon Events
  • Password Change Events
  • RDP (Remote Desktop Protocol)

Authentication events provide a quick and easy way to locate unauthorised attempts to access an account.

Logon events are critical when trying to place someone behind a keyboard or find out what account was used in an incident as a record is created for each successful or failed logon attempt, along with a corresponding timestamp.

Password changes made by anyone other than the account owner or an IT administrator might be a sign of a compromise.

RDP is a popular method for remotely accessing another computer system, when conducting a forensic investigation looking at the event logs for successful connections can help figure times and dates of when a user may have been accessing another system.