Searching with Event Viewer

Despite the default security audit settings, once auditing is enabled the event logs can rapidly fill. Most of this information will be the record of normal user behavior that is of no investigative interest at all. Learning to wade through event logs quickly and efficiently is a vital skill for any Windows network investigator. In this section we will share some tips on using the Filter and Find features of Event Viewer to perform similar searches.

The Filter feature allows you to remove a lot of the clutter from the event log display. Filtering does not modify the event log in any way, but it does change what parts of the log Event Viewer will show you. Filters can be set, reset, or changed any number of times without ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Searching with Event Viewer

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly