A few tips on Windows event log analysis for forensics, including looking at AV logs, timing events, etc.
I especially liked this bit, which I didn't know before: "Event ID 35 (Source: W32Time) is an Information event that tells you that your system is sync'ing with a time server, and provides the IP address of your system. This can be very useful in a DHCP environment, as it tells you the IP address assigned to the system (actually, the interface) at a particular date and time."
No comments:
Post a Comment