SEARCH
TOOLBOX
LANGUAGES
"The audit log was cleared" won’t stop me: Advanced Windows Event Log Forensics

"The audit log was cleared" won’t stop me: Advanced Windows Event Log Forensics

From BruCON 2016

Jump to: navigation, search

Obviously, event logs contain key forensic artefacts. But what can you do when they’ve been destroyed? This two hour, hands-on workshop will kick off with advanced recovery techniques to reconstruct deleted events from file systems and memory. I’ll provide incident response scenarios and forensic images that we’ll practice on together, and you can compete to be crowned the Event Log Necromancer. Next, we’ll dive into novel procedures to slice-n-dice event logs. You’ll learn how to reconstruct process trees at points in time, identify malware, and note anomalous user logins. A comprehensive hands-on exercise will cement these skills.