Examining System Log Entries

While much of the log analysis relevant to network investigation takes place in the Security log, the System log also contains many items of evidentiary interest. The System log records events relating to many facets of system behavior. Items such as changes to the operating system, hardware configuration, device driver installation, the starting and stopping of services, and a host of other items of potential investigative interest can be found in the System log.

Perhaps messages associated with the starting and stopping of services by the Service Control Manager rank among the more significant events found in this log. Whenever a service is stopped, the Service Control Manager sends a stop signal to the service ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.