Digital Forensics: log file Analysis
Check Windows Event Logs.
- On Windows XP , are stored in c:\windows\system32\config
- By default, Event Viewer log files use the .evt extension and are located in the %SystemRoot%\System32\winevt\Logs folder.
- Application.evtx: Logs events from applications and programs.
- Security.evtx: Logs security events like successful or failed logins.
- System.evtx: Logs events related to Windows system components and drivers
Export all successful logon events to a text file named `logons.txt` on the computer's Desktop.
- Open Event Viewer and expand Windows Logs.
- Under Windows Logs, click on the Security which will populate the security events
- In the Actions area, select Filter Current Log.
- In the All Event IDs field, enter the Event ID
4624, then click OK. - In the Actions area, click on Save Filtered Log File As.
- Select Desktop for the location, for the file name type
logons.txt or logons.event, and select Text or Event files for the Save as type.
- Click the Save button.
2. Export all events from the security log to a file named `security.txt` on the server's Desktop.
- In the Action area, click Clear Filter to remove the filter from the previous section.
- Right click on Security under Windows Logs and select Save All Events As.
- Select Desktop for the location, for the file name type
security.txt orsecurity.event and select Text or Event files for the Save as type. - Click the Save button.
Q:On the system, what time did the user last log into the system? Download Event log
Ans:
A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
4624(S): An account was successfully logged on.
ที่มา:ultimatewindowssecurity
อ่านเพิ่มเติม Event Viewer
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูล เผยแพร่ความรู้และให้โอกาสในการค้นคว้าหาข้อมูลเพื่อการศึกษา บุคคลที่สนใจโดยทั่วไป รวมถึงนักเรียน นิสิต นักศึกษา ในการเรีบนรู้เท่านั้น
No comments:
Post a Comment