Wednesday, July 11, 2007

Windows Log Analysis for Incident Response

A few tips on Windows event log analysis for forensics, including looking at AV logs, timing events, etc.

I especially liked this bit, which I didn't know before: "Event ID 35 (Source: W32Time) is an Information event that tells you that your system is sync'ing with a time server, and provides the IP address of your system. This can be very useful in a DHCP environment, as it tells you the IP address assigned to the system (actually, the interface) at a particular date and time."

No comments:

Dr Anton Chuvakin