Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Mastering Windows Network Forensics and Investigation

Mastering Windows Network
Forensics and Investigation
Chapter 11: Text-Based Logs
Chapter Topics:
•
•
•
•
•
Windows IIS Logs
Windows FTP Server Logs
Windows DHCP Server Logs
Windows XP Firewall Logs
Microsoft Log Parser
April 13, 2015
© Wiley Inc. 2007. All Rights Reserved
2
Windows IIS Logs
• Microsoft web server is called Internet
Information Services (IIS)
• Detailed logging enabled by default
• Most common & default format is WC3
Extended Log File Format
• Log timestamps are GMT
• Default location:
%WinDir%\System32\Logfiles\W3SVC1\
• Log per day in format exyymmdd.log,
where yy=year, mm=month, & dd=day
Example of IIS Log Entry
Windows FTP Logs
• Microsoft FTP Server
• Detailed logging enabled by default
• Most common & default format is WC3
Extended Log File Format
• Log timestamps are GMT
• Default location:
%WinDir%\System32\Logfiles\MSFTPSV
C1\
• Log per day in format exyymmdd.log,
where yy=year, mm=month, & dd=day
Example of FTP Log Entry
Microsoft DHCP Server Logs
• Dynamic Host Configuration Protocol
(DHCP) service in which IP address
assigned dynamically upon request
by host.
• Microsoft servers provide this
services
• IP address loaned for a short period
and thus which machine had which IP
address is based on particular point in
time.
• Logs record host to which IP was
assigned
• Time is local system time zone!
Microsoft DHCP Server Logs
• Default location for log is:
C:\%SystemRoot%\System32\DHCP\
• Logs stored in one file per day
basis
• Format of log file name is:
DhcpSrvLog-XXX.log, where
XXX=three letters of day of week,
i.e. DhcpSrvLog-Sat.log
• Therefore, only 1 full week stored!
DHCP Log
DHCP Log
•
•
•
•
•
•
•
Event ID
Date
Time (Local system time zone)
Description / Action
IP address assigned
Host name to which IP assigned
MAC address to which IP
assigned
Windows Firewall Logs
• Firewall added to XP with SP 2
• Firewall on by default
• Very good logging utility,
however, is off by default
• Enabling is buried deep in user
interface
– Don’t expect to find it enabled
often, except in domain settings
with good administrator!
Windows Firewall Logs
• Default location of firewall logs is:
%SystemRoot%\pfirewall.log
• Always look for it anyway
Windows Firewall Log Header
Windows Firewall Log Data
Microsoft Log Parser
• Free utility from Microsoft
• Truly a Swiss Army Knife
forensic utility
• Processes nearly all forms of
M/S logs, plus dozens of others
• Three components
– Input engine
– SQL query engine
– Output engine
M/S Log Parser DATAGRID Output
Related documents
X-Logs Training PowerPoint
X-Logs Training PowerPoint
Lecture 6 PPT
Lecture 6 PPT
15-Defense
15-Defense
Managing logs with syslog -ng and SWATCH
Managing logs with syslog -ng and SWATCH
Itinerant Time Tracker (ITT) User Manual
Itinerant Time Tracker (ITT) User Manual
Detecting Penetration Testing Ron Gula, SOURCE 2010 WE ARE IN
Detecting Penetration Testing Ron Gula, SOURCE 2010 WE ARE IN
- Team System Cafe
- Team System Cafe
Kenneth Stecker and perry Curtis August 2013
Kenneth Stecker and perry Curtis August 2013
Barracuda Web Application Firewall
Barracuda Web Application Firewall
Executive Office of Labor & Workforce Development
Executive Office of Labor & Workforce Development
Reach 2010
Reach 2010
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
Download