How Windows admins can get started with computer forensics
4 min read
fairly easy
Analysing forensics logs requires a unique approach. Here are the basics of what you need to know and the tools to use.
Credit: Dreamstime

The recent cybersecurity symposium that aimed to "prove" the 2020 US election was a fraud made headlines not because of evidence found, but rather the absence of evidence. As I watched the three-day event, it reminded me how unknown most of the technology behind computers is. A bit of disclosure: While I've analysed computer systems and even testified in court about them, I would not consider myself an expert in all forensic circumstances. I can authoritatively discuss what a Windows event log looks like, but if I'm looking at a software that I'm not familiar with, I don't know what its "normal" looks like.

Computer forensics is a combination of understanding exactly what a computer is doing, the evidence it leaves behind, what artifacts you are looking at, and whether you can come to a conclusion about what you are seeing. Packet capture expert Robert Graham said it best in a recent tweet:

Remember that's what we are trying to sift through: a world of things we don't understand that look suspicious as hell, and the world of things that we do understand that we can pin down exactly what happened.

Questions to ask before doing a forensic investigation

When an event occurs the first thing you should ask yourself these questions:

What did you plan on capturing before the event occurred?

Did you have event logging enabled and enhanced with Sysmon?

Do you know if the computers and systems you plan to sample are synchronised in time so that when you look at the log file of one device it will correlate with the timestamps of another device?

Do you know the normal traffic or behavior of the software you are looking at?

Do you know what websites or IP addresses are normal and baseline for that machine?

Why forensic images are different

Reviewing a computer system in a tool like FTK Imager can be daunting if you have never taken a…
Read full article