SEARCH
TOOLBOX
LANGUAGES
"The audit log was cleared" won’t stop me: Advanced Windows Event Log Forensics

"The audit log was cleared" won’t stop me: Advanced Windows Event Log Forensics

From BruCON 2017

Revision as of 21:16, 9 September 2014 by Znb (talk | contribs) (Created page with "Obviously, event logs contain key forensic artefacts. But what can you do when they’ve been destroyed? This two hour, hands-on workshop will kick off with advanced recovery...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Obviously, event logs contain key forensic artefacts. But what can you do when they’ve been destroyed? This two hour, hands-on workshop will kick off with advanced recovery techniques to reconstruct deleted events from file systems and memory. I’ll provide incident response scenarios and forensic images that we’ll practice on together, and you can compete to be crowned the Event Log Necromancer. Next, we’ll dive into novel procedures to slice-n-dice event logs. You’ll learn how to reconstruct process trees at points in time, identify malware, and note anomalous user logins. A comprehensive hands-on exercise will cement these skills.