tag:blogger.com,1999:blog-9518042.post3625611772891792440..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Windows Event LogsUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-65575537229255584332014-10-22T22:35:10.016-05:002014-10-22T22:35:10.016-05:00I wish Linux tools can be used on Windows servers ...I wish Linux tools can be used on Windows servers also. Like Munin for monitoring serversjosephhttp://javadevnotes.com/java-tutorial-setup-your-windows-development-environment/noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-77340687721682498162014-10-22T05:25:13.777-05:002014-10-22T05:25:13.777-05:00Dan,
Thanks. I'm looking forward to seeing ...Dan, <br /><br />Thanks. I'm looking forward to seeing what other input you get from your tweet.<br /><br />Anonymous,<br /><br /><i>Is the 'eventmap.txt' file available somewhere...</i><br /><br />It's included in the additional materials for the book, as mentioned in the post. Just follow the link...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89535834443119548532014-10-22T05:20:36.300-05:002014-10-22T05:20:36.300-05:00Hello,
really interesting post. I'm currently...Hello,<br /><br />really interesting post. I'm currently working on a system for Windows logs centralisation (and graphing, analysis, search...) based on several open source software.<br />What I miss actually is a way to translate events ID in a human-readable format.<br />Is the 'eventmap.txt' file available somewhere, in a free license for reuse?<br /><br />Thanks.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26943025068034549202014-10-21T23:02:41.390-05:002014-10-21T23:02:41.390-05:00Harlan,
This is a fantastic post that is right in...Harlan,<br /><br />This is a fantastic post that is right in line with what I was hoping to receive from the very short (and truly vague) question I put out on Twitter.<br /><br />I appreciate you taking the time out to write it.<br /><br />It's one thing to list a bunch of Event IDs and explain what they are. It is a completely different (and more valuable) thing to zone in on the forensic aspect of said events based on past experience. To identify and document what's worked for you in the past not only helps <i>me</i> as an investigator, but it helps anyone who is curious and willing to understand what they are seeing and potentially what they should be looking for in an investigation. Using the items you've described -- along with the countless other artifacts left on a given system -- one can better grasp what is ACTUALLY happening.<br /><br />And you hit the nail on the head in the last paragraph -- it's not valuable to just "have a list" of event IDs. The information becomes valuable when you understand and correlate these items with other artifacts and events to more accurately complete the puzzle.<br /><br />Again, thanks for the post.<br /><br />-DanAnonymousnoreply@blogger.com