Identifying uninstalled software using Event Logs with Osforensics

Windows Event Logs are a detailed record of system, security, and application notifications and messages stored by the Windows operating system. These logs are invaluable for troubleshooting, monitoring system health, and analyzing security incidents.

Here's an overview of the main types of Windows Event Logs:

1. Application Logs: These contain events logged by applications or programs. For example, a database application might record errors and significant operations here.

2. Security Logs: These log security-related events, such as login attempts, resource access, and system changes. They are crucial for auditing and monitoring security-related activities.

3. System Logs: These contain events logged by Windows system components. For example, drivers and services will log events here when they encounter issues or perform significant actions.

4. Setup Logs: These are used for logging events related to the installation of applications or system components.

5. Forwarded Events: These are events collected from remote computers and stored locally.

Windows Event Logs are stored at the following path: C:\Windows\System32\winevt\Logs

Osforensics V7 can be used to help identify uninstalled software. Open the Event Log Viewer from the Start screen in OSF…

Like many other actions and events recorded within the Windows Event Logs you can analyze these logs for records of uninstalled software. 

You will first need to run a scan to search for any Event Logs that are located on a forensic image file or connected drive. Once complete, navigate to the Application event logs

There will likely be tens of thousands of Application event logs on a system. To quickly identify logs that contain information about uninstalled software, use the Preset filtering options that are available in the drop-down menu

Choose the ‘Software Package Removal Success’ preset which will then filter and present you with all logs with Event ID 11724 that deal with software uninstallation.

In the example above, we can see that the software application ‘OpenVPN 2.6 was successfully uninstalled on 2/13/2024 at 10:29:29. Unfortunately, in our testing, this data is not comprehensive, meaning it does not seem to contain a complete historical list of uninstalled software.

อ่านเพิ่มเติม :

• How To Check If Someone Else Is Using Your Computer
• How to Determine the Last Shutdown Time and Date in Windows
• Windows Event Viewer

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud