Understanding Windows Event Logs | Digital Forensics Case Study| Windows Event Forensics- Part2

preview_player
Показать описание
Let's Clear our understanding for windows event logs with a Digital Forensics Case Study. Since we have now learned the basics of windows event logs and learned how to repair the corrupted logs and analyze them using LogParser 2.2, it is time to analyze the logs in depth with a Forensics Case Study.
-------------------------------------------------------------------------------------------------------------------------
📝

Request you you to watch the full episode to clear the full flow of investigation!!

🔥

Details of the Case Study-

1. User account creation Alert on CJ Endpoint.
2. Sam couldn’t identify the details of which account got created since those details are masked.
3. Same called the user to identify if there is any stored sensitive data on his/her machine. Grabbed one PWD protected ZIP file.
4. Sam can’t take a full machine dump.
5. Sam collected the Windows Event Logs from the system (Application, Security, System) and Registry Dump.

Now we are being a Forensic Investigator, we need to identify what went wrong and how did it happen!

🙏
***If you enjoy this video, please consider Subscribing to my channel and share this to your community as well*** 🙏

🔥

🔗
Links for your Need-
-------------------------------------------------------------------------------------------------------------------------


What's next in BlackPerl?
-------------------------------------------------------------------------------------------------------------------------
In the next episode, we will come up with more such tools and techniques for DFIR and will try to explain them with real life usecases.
Also, if you want us to cover any particular topic, please let us know in the comment section below.

📞📲
We are socially active as well-
-----------------------------------------------------------------------------------------------------------------------
Twitter: @blackperl_dfir


Timelines
-------------------------------------------------------------------------------------------------------------------------
0:00 ⏩ Intro
1:34 ⏩ Case Study Details
4:51 ⏩ Demo
41:00 ⏩ Summarize
-------------------------------------------------------------------------------------------------------------------------
Thanks for watching!! Be CyberAware!! 🤞
  1. BlackPerl
  2. Understanding Windows Event Logs
  3. windows event log forensics
  4. evtx parser
  5. logparser 2.2 tutorial
  6. windows event logs
Рекомендации по теме
How To Use 0:08:00

How To Use The Windows Event Viewer For Cyber Security Audit

Brief Introduction to 0:09:32

Brief Introduction to Windows Event Viewer

Event Viewer - 0:00:56

Event Viewer - What is going on with Windows?

Quick Forensics of 0:09:55

Quick Forensics of Windows Event Logs (DeepBlueCLI)

The Event Viewer, 0:10:21

The Event Viewer, Explained (It's a mess)

Understanding Windows Event 0:44:30

Understanding Windows Event Logs | Digital Forensics Case Study| Windows Event Forensics- Part2

Event Viewer & 0:07:21

Event Viewer & Windows Logs

How to Use 0:06:17

How to Use Event Viewer

The One About 0:28:06

The One About The Windows Event Log

Windows Event and 0:36:38

Windows Event and Logging Demystified: IT Admin Edition

how to CORRECTLY 0:08:30

how to CORRECTLY read logs as a Cybersecurity SOC Analyst

CVEs in Windows 0:09:48

CVEs in Windows Event Logs? What You Need to Know

How to investigate 0:03:25

How to investigate Windows Event Logs

Cybersecurity Tip: Best 0:11:46

Cybersecurity Tip: Best Windows Event ID To Find Malware

Understanding the Windows 0:13:43

Understanding the Windows Server Event Log

Analyzing a Compromised 0:10:41

Analyzing a Compromised Windows With Windows Event Logs | CTF Walkthrough

How to check 0:02:56

How to check application logs in Windows 10 [Event Viewer] | Unlimited Solutions

Step-by-Step Guide: Sending 0:10:12

Step-by-Step Guide: Sending Windows Event Logs to Graylog With NXLOG

Windows Event Log 0:40:12

Windows Event Log Analysis

Desktop Support and 0:10:39

Desktop Support and Help Desk, Using Event Viewer to Troubleshoot System or Application Issues

Windows Event Forwarding 0:33:02

Windows Event Forwarding at Scale

Event Log Management 1:02:54

Event Log Management in Windows | TryHackMe Windows Event Logs

Try Hack Me: 0:55:06

Try Hack Me: Windows Event Logs

How to Check 0:00:48

How to Check an IIS Event Log on Windows

Комментарии
Автор

Hey Guys... Another Case Study is here! I tried to explain how can we use LogParser to analyze the Windows Event logs and even the full workflow of an incident. I hope you will enjoy the episode and if you have any query, please feel free to post it. 😊

CMDs I have used in this episode-

User Creation:

"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT * FROM Logs\Good Event Logs\SecEvent.evtx' WHERE EventID = '624'"

"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated as Time, EventType, EventTypeName, Strings as User, ComputerName FROM Logs\Good Event Logs\SecEvent.evtx' WHERE EventID = '624'"

User Login:

LogParser -stats:OFF -i:EVT "SELECT * FROM Logs\Good Event Logs\SecEvent.evtx' WHERE Strings LIKE 'helpdesk%' and (EventID = '528' or EventID = '540')"


LogParser -stats:OFF -i:EVT "SELECT TimeGenerated as LoginTime, EventTypeName, ComputerName, SID FROM Logs\Good Event Logs\SecEvent.evtx' WHERE Strings LIKE 'helpdesk%' and (EventID = '528' or EventID = '540')"


User Logoff:

LogParser -stats:OFF -i:EVT "SELECT TimeGenerated as LoginTime, EventTypeName, ComputerName, SID FROM Logs\Good Event Logs\SecEvent.evtx' WHERE Strings LIKE 'helpdesk%' and EventID = '538'"

Program Install:

LogParser -stats:OFF -i:EVT "SELECT * FROM Logs\Good Event Logs\AppEvent.evtx' WHERE EventID = '11728'"

LogParser -stats:OFF -i:EVT "SELECT Strings FROM Logs\Good Event Logs\AppEvent.evtx' WHERE EventID = '11728' AND

BlackPerl
Автор

Awesome information sir, I learnt new skills as a digital forensics investigator

RamaKrishna-lgzo
Автор

Awesome explanation Archan. thanks a lot for creating this one.

futurebuddies
Автор

Thank you for your great video!! I have one question, is it possible to check if the user have manually cleared their windows event log? Does window record this as an event in the new log?

kkkyyymmm
Автор

bro you are awesome. Excellent. I just love them.. I was looking for these kind of videos. Do you have any o365 log analysis as well?

cyberwarriorall
Автор

can you suggest some queries for catching powershell queries

cyberwarriorall
Автор

Could you please explain how to analysis by using SIEM tool

b.kranthikumar
Автор

Thanks for this video. I have a doubt- let’s say if attacked has cleared audit logs and u see 1102 event. Is there any other way where we can check security logs or recover them ?

CulinaryMyway
Автор

Really useful and informative brother keep it up ...keep going brother you are rocking 🎉

innocentgamer
Автор

awesome content. learned something new today.

anishdash
Автор

which event ids needs to be monitored for suspicious behaviour? Can you make a video on it?

zivakhan
Автор

This was a absolutely one of the best videos I've seen on log analysis thank you so much can you please post the link again on where you got the zip file password cracker

laptoplifestylegeez
Автор

Was waiting for this one so eagerly! Thanks for sharing. Can you share the event logs for practice?
Can I search logs with ip addresses?

jamescullins