On Windows operating systems, the event logs store a lot of useful information about the system, users, activities and applications. The main purpose of the event logs is to provide information to administrators and users. They are structured in five levels (information, warning, error, critical, and success/failure audit). In terms of forensic analysis, this is a valuable source to understand the course of actions on a system. In this post, we went through how Windows ArtiFast analyzes "Windows Event Logs" artifact in detail.
Windows event logs are important for understanding incidents that occurred on a target system. This artifact can be a valuable source of information, especially, during data leak or hacking cases. Security event logs store incidents based on the Windows operating system audit policies. On the other hand, system event logs contain the status of a device and operating system specific incidents. Application event logs track application erros, installation results and more.
Windows Event Viewer enables administrators and users to view the event logs. The tool provides filtering capabilites by time, event level and source, however, navigating through the Event Viewer can be challenging due to the amount of information presented. Therefore, text-based structured analysis of event logs may be considered a better approach. Users can identify the results and causes of cyber incidents on a system by corelating specific events on the system and focusing on specific event ids (such as 4624, 4625, and so on).
In Windows operating systems, the default location of the event logs is at
In addition, information related to the Custom logs can be found in the following registry key:
Windows event log are structured in five channels:
This section discusses how to use ArtiFast Windows to analyze Windows Event Log artifact from Windows machines and
what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Event Logs artifact:
By double clicking on a specific log entry on the Artifact View, you can investigate details of the that log entry. The figure below shows the details of a Security event id 4624 (successful logon).
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows Event Logs artifact in ArtiFast software.
Windows Event Logs Artifact
The artifact contains Event Logs in Windows operating systems. The details you can view include:
For more information or suggestions please contact: firstname.lastname@example.org