SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of ""The audit log was cleared" won’t stop me: Advanced Windows Event Log Forensics"

Difference between revisions of ""The audit log was cleared" won’t stop me: Advanced Windows Event Log Forensics"

From BruCON 2016

Jump to: navigation, search
(Created page with "Obviously, event logs contain key forensic artefacts. But what can you do when they’ve been destroyed? This two hour, hands-on workshop will kick off with advanced recovery...")
 
(No difference)

Latest revision as of 22:16, 9 September 2014

Obviously, event logs contain key forensic artefacts. But what can you do when they’ve been destroyed? This two hour, hands-on workshop will kick off with advanced recovery techniques to reconstruct deleted events from file systems and memory. I’ll provide incident response scenarios and forensic images that we’ll practice on together, and you can compete to be crowned the Event Log Necromancer. Next, we’ll dive into novel procedures to slice-n-dice event logs. You’ll learn how to reconstruct process trees at points in time, identify malware, and note anomalous user logins. A comprehensive hands-on exercise will cement these skills.

Retrieved from "http://2016.brucon.org/index.php?title=%22The_audit_log_was_cleared%22_won’t_stop_me:_Advanced_Windows_Event_Log_Forensics&oldid=4725"