Understanding Windows logs

The most prevalent endpoint operating system that responders will have to examine related to an incident is by far the Windows OS. Due to the overwhelming market share that Microsoft has, the vast majority of enterprise endpoints will be Microsoft desktop/laptop, server, or virtual systems. As a result, it is critical that responders have a solid understanding of how to leverage the Windows event logs for incident analysis.

The Windows event logs provide extensive data on the actions of the operating systems, connections from other systems, and credential use, along with the use of PowerShell. Adversarial tactics from initial compromise using malware or other exploits, credential accessing, and elevation and lateral ...

Get Digital Forensics and Incident Response - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.