Forensic Triage and Event Logs

Question 1

Steps of strategy for Forensic Triage

Answer 1

1. Grab a forensic triage
2. Start a full image
3. Analyze the triage while the full image is being collected.

Question 2

Good things to grab quickly

Answer 2

Recently Accessed
Directories recently opened
Executables recently executed

Question 2

LNK Files

Answer 2

Recently Accessed in the recents directory.
i.e. Desktop Shortcuts

Question 3

Jump Lists

Answer 3

Recently Accessed + what application.
Right click on a Word Doc.

Question 3

Shell Bags

Answer 3

Recently Opened Directories
Specific information about each particular folder.

Question 4

Prefetch

Answer 4

Recently Executed
\Windows\Prefetch

Question 5

How to collect triage items?

Answer 5

Custom content image with FTK Imager
Images using KAPE

Question 6

Event Logs Characteristics

Answer 6

Type - Kind of log
Provider - What generated this?
Event ID - What happened?

Question 7

Interesting log types

Answer 7

Security logs - Logon, logoff, program execution, security group membership.
Application Logs - Made by app developers
System logs - General info about the system.

Question 8

What command to export logs?

Answer 8

wevtutil epl on evtx files