FOR223 - Windows Log Files and Other History

Windows miaintains a significant amount of data on its past activity as part of its normal operation. This is used for self-diagnosis, performance monitoring, and error reporting, as well as for common functions such as user login/logiout tracking and file access auditing. Using this information, a forensic investigator can create a detailed timeline of a user’s activities, going back months or in some cases years. Learn what information Windows maintains and where to find it. 

Level: Intermediate

Cyber forensics investigators

  • Windows Event Viewer
  • System, application, and security logs
  • Enabling security event logging
  • System and application dump files; Windows Error Reporting
  • Shell (Explorer) features
  • Prefetch files
  • Internet Explorer: history, cookies, download manager, saved passwords
  • ETW logs
  • Registry evidence
    • Registry overview
    • Evidence of previous volumes
    • Services list
    • Device lists
    • COM objects and .net assemblies
  • Setup logs
    • Application installations
    • Plug-and-play manager
  • Restore points
  • Desktop indexing
  • Applications' logs

Attendees should be familiar with Windows at the “power user” or system administrator level.

Much of the information in the log files is related to internal mechanisms described in FOR205, Windows Internals for Forensics; so that is strongly recommended. 

Operating systems supported: All Windows versions
Durations and formats: 1 day with labs