Windows Auditing Primer

Logs are records of events that happen on your computer, such as when a user logs on, or when a program encounters an error. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs. They also help you track what happened.

Auditing is basically the examination, evaluation and verification of some type of record. After a cyberattack in order to assess the significance of attack we must be able to pinpoint what the attacker changed/altered, viewed or exfiltrated. We will discuss the Windows Audit Policy more in the next few sections.

Cybersecurity monitoring is a threat detection strategy that uses automation to continuously scan your IT ecosystem for control weaknesses, often sending alerts to some type of a Security Incident and Event Management (SIEM) system. A system like SIEM provides real-time analysis of security alerts generated by applications and network hardware. Cyber security threat monitoring describes the process of detecting Cyber threats and data breaches. IT infrastructure monitoring is a crucial part of Cyber risk management, enabling organizations to detect Cyber attacks in their infancy and respond to them before they cause damage and disruption.

Artifacts are objects or areas within a computer system that contain important information relevant to the activities performed on the system by the user.

Forensically Important Artifacts in Windows

Forensically relevent Registry locations

Auditing is enabled on Windows machines by default. There are nine different types of auditing categories in Windows, and each category has a list of subcategories. We will talk about these more in depth later during the lecture. Normally, if you define a value for a policy in one of the top-level categories (either in the computer’s Local Security Policy or in an applicable GPO), then that top-level policy will usually override any configurations that you make at the subcategory level. Under Windows’ default behavior, subcategory policies take effect only when you leave the related top-level category undefined in the Local Security Policy and in all applicable GPOs. If a category policy is defined, then all subcategory policies under that policy will be defined.

The Windows system audit policy is a configurable structure that determines what type of events you want to monitor and record in a Windows environment. It is one of the most powerful tools that you can use to maintain the integrity of your system. Your audit policy settings should identify attacks, whether they are successful or not, that pose a threat to your network and attacks against resources that you have determined to be valuable. In order to access the audit policy in the registry you must have or elevate your privileges to the Local System account NT AUTHORITY\SYSTEM.

The Audit Policy configuration is stored in the following registry key:

Logs are records of events that happen on your computer, such as when a user logs on to the computer, or when a program encounters an error. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs. They also help you track what happened.

Early Windows editions, starting with Windows NT, came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred Windows eventlogs, and third party applications can create and integrate their own event logs into Windows logging. The logs have a .evtx extension and event IDs are normally four digits.

Windows event logs are protected from modification and are designed to only be accessed using the tools provided by the system. All event logs are stored in binary format; this prevents them from being edited using a text editor program. Only Administrators have the privilege of being able to copy and clear the event logs. A non-Admin user cannot view the Security event log, but does have read-only access to other event logs.

Q: What type of information is logged in the Application Log?

A: It contains events logged by applications or programs; example - a file error.

The Application log is stored at:

Q: What type of information is logged in the Security Log?

A: It contains events related to resource use (creating, opening, deleting files or other objects), valid and invalid login attempts, and other security-related events that are defined by the audit policy. Events are written to the log by Local Security Authority Subsystem Service (LSASS). Administrators can use the Security Log troubleshoot issues to detect and investigate both attempted and successful unauthorized activity.

The Security log is stored at:

Q: What type of information is logged in the System Log?

A: It contains events logged by Windows system components. Example - a system component or driver failed to load during startup or creating, opening, or deleting files or other objects.

The System log is stored at:

Windows Auditing using native tools along with the analysis of generated artifacts using Windows Command Prompt, PowerShell, or the GUI-based program Eventviewer.

*.evtx files accessed by: