Windows event logs are the gold standard when it comes to forensic and incident response investigations as they contain vast records of activity on a system. Event logs are split into three categories; application, security and system. Some of the key event log artifacts we we commonly analysed during a forensic investigation include:
- Authentication Events
- Logon Events
- Password Change Events
- RDP (Remote Desktop Protocol)
Authentication events provide a quick and easy way to locate unauthorised attempts to access an account.
Logon events are critical when trying to place someone behind a keyboard or find out what account was used in an incident as a record is created for each successful or failed logon attempt, along with a corresponding timestamp.
Password changes made by anyone other than the account owner or an IT administrator might be a sign of a compromise.
RDP is a popular method for remotely accessing another computer system, when conducting a forensic investigation looking at the event logs for successful connections can help figure times and dates of when a user may have been accessing another system.