Session 2: Using Log Parser for Correlating Window’s log data for Forensics in Investigating Intrusions
Time: 3.20pm to 4.05pm
Synopsis: Microsoft has Application, Security and System event logs built into the OS from Windows®NT v3.51 forward. This session will dwell into understanding how this logs can be configured properly to audit success and failures of all security related events. Additionally, other services (IIS™, ISA™, Routers etc.) have their own logs that contain vital information independent of the OS.
Next, we will learn about what is Log Parser, how does it work and what can it do. Next we will walk through some scripts and even build some from scratch to identify many suspicious activities. Most of the time these activities are going to be followed by some sort of malicious activity. So next, we will attempt to find these indicators by checking the files and system services for “strange” activity. Finally, we will look at other “cool” Uses of the Log Parser.
Link to the event: http://go.microsoft.com/?linkid=8861657