Windows includes many monitoring and logging capabilities and traces data and events for a large amount and variety of activities occurring in the operating system. The vast number of events, which can be logged, does neither make it easy for an administrator to identify the specific important events nor helps a forensic investigator to find Indicators of Compromise. Therefore, we will start this section with a small introduction to the Windows Event Log and the changes in its format over time, followed by a description of the important event types that should help an investigator to quickly find suspicious actions in the large amount of other events. In the last section of this chapter, we will demonstrate how to parse the Event Log and automatically find the potential IOCs (e.g., user logons, service creation, and so on).
Argentina
Australia
Austria
Belgium
Brazil
Bulgaria
Canada
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
France
Germany
Great Britain
Greece
Hungary
India
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Russia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
United States