Forensic Analysis of Windows Event Logs (Windows Files Activities Audit)
Earlier in the article discusses the problems associated with the collection and analysis of input events to Windows. It is not a secret that the information on file activity is essential for many applications. As a starting point for the investigation into the events activity Windows files can be started with the Ofer Shezaf ‘s article. He is an currently a product manager at Varonis.
The Windows, does not register the file activity logs and granular file operations that require further processing to produce a log file aktivnosti.Ofer Shezaf considers as Windows, transaction logs files. He notes in his article that the removal operation is a unique case in which there is a fourth important event. The sequence is identified by “Handle ID” event properties, which is not unique to this sequence (at least until a reboot). In addition to the windows file activity audit flow discusses the process required to transfer the raw events significant operations in the log file activity.
It is necessary to interpret the resolution exercised as reported in the “Accesses” event property to determine the actual effect. Every action of the file are logged. Unfortunately, there are things that can not be determined using only the event log.
“Collecting Windows file activity is a massive event flow and the Microsoft event structure, generating many operation events for a single file action, does not help. Beyond limited and costlier scalability, this would also mean that the raw Windows event flow is transported, indexed and stored, consuming massive and potentially unneeded computing resources.”
The analysis Ofer Shezaf came to the conclusion that the new Microsoft Windows Advanced Threat Protection (ATP) does use a new code added to the Windows 10 kernel to support the collection of telemetric information. Microsoft Advanced Threat Analytics (ATA) utilizes network tapping to collect information. Neither relies on the Windows Event Log.
P.S. In the article we used a fragment of Ofer Shezaf’s article.