• No results found

Events Forensic Tools for Microsoft Windows

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Events Forensic Tools for Microsoft Windows"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

 

Events Forensic Tools

for Microsoft Windows

Professional  forensic  tools

 

 

(2)

Events  Forensic  Tools  for  Windows  

Easy  Events  Log  Management  

Events  Forensic  Tools  (EFT)  is  a  fast,  easy  to  use  and  very  effective  solution  for  analyzing,  viewing  and  monitoring  

Security,  System,  Application  and  other  Microsoft  Windows  operating  systems  event  logs.  Unlike  limited  Windows   Event  Viewer,  EFT  extends  standard  functionality  and  brings  monitoring  and  many  new  features.    

Any  system  administrator,  forensic  examiner  or  security  specialist  know  the  problem  of  Windows  event  log  and  how   this  problem  is  acute.  

Keeping  tracing  and  monitoring  continuously  of  valid  and  invalid  logon  attempts  and  events  related  to  resources   usage  such  as  opening,  creating  and  deleting  files  is  a  critical  task  to  make  sure  the  network  is  safe  and  clean.  This   process  always  devours  a  lot  of  time  using  MS  Windows  Event  Viewer.  

EFT  designed  to  let  you  quickly  browse,  search,  find  and  report  problems,  security  warnings  in  addition  to  all  other  

generated  within  Windows  events  such  as  Security,  System,  Application,  Directory  Service,  DNS  and  other  logs  of  the   Operating  Systems.  

EFT  equipped  with  event  search  and  filtering  engine  to  sort  events  in  the  list  by  any  criteria.  User  can  create  many  

filters  and  save  them.  This  will  save  when  you  want  to  re-­apply  the  filter  in  future.  

Unlike  the  limitation  of  standard  Windows  Event  Viewer,  EFT  can  print  event  logs  or  separate  events,  export  them  to   other  formats  (currently:  HTML,  MS  Excel  and  tab-­separated  files).  Additionally,  the  software  provided  with  Analytical   Reports  tools  to  help  system  administrators  building  different  summary  tables  and  summary  diagrams  by  using   advanced  reporting  tools.  

EFT  is  a  professional  software  utility,  but  it’s  not  dedicated  for  professional  use  only,  it  is  helpful  home  users  will  find  

as  well  to  monitor  System  log  and  Security  log  even  on  a  home  PC.  

(3)

Events  Forensic  Tools  features  and  benefits  

EFT  is  a  customer-­driven  software.  Most  of  the  advanced  features  were  requested  by  our  users  and  this  turned  it  from  

ordinary  event  data  viewing  to  its  real  analysis.  

• Accessing  MS  Windows  event  logs  (and  log  files)  on  local  and  remote  servers  and  workstations:

Like  standard  MS  Windows  Event  Viewer,  EFT  can  access  MS  Windows  event  logs  and  event  log  files  from  both local  and  remote  servers  and  workstations.  However  unlike  Event  Viewer,  you  can  view  several  event  logs  (and  log files)  at  one  time  in  separate  windows  or  as  tabs  in  one  consolidated  window  (merged  event  log  view).

• Support  of  both  classic  Windows  NT  event  log  format

(EVT  files)  and  new  (Crimson)  event  log  format  (EVTX files)

You  can  choose  between  legacy  Windows  NT  API  or modern  Windows  Event  Log  API  -­  when  possible  -­  to  access MS  Windows  event  logs  (and  log  files).  Legacy  NT  API works  faster,  but  Modern  API  works  provides  more  detailed information.

• High  performance  —  all  events  are  loaded  either  into

memory  or  into  an  optimized  internal  local  database EFT  reads  events  into  its  own  temporary  storage  to

guarantee  smooth  event  analysis.  User  can  set  memory  or disk  storage  to  use  depending  on  event  log  size.

• Active  monitoring  and  alerting  —  be  informed  about  problems  in  real-­time

EFT  can  be  setup  to  monitor  events  generated  by  the  systems  and  notify  you  when  a  specified  event  has  fired.

(4)

• Event  log  consolidation  —  consolidating  in  one  place  different  events

EFT  allows  to  consolidate  events  from  different  sources  in  one  event  view  to  review  as  a  solid  log.  The

consolidated  event  log  can  be  saved  as  an  EVT  file.

• Setting  Tabbed-­document  and  multiple-­document  user  interface

EFT  has  two  different  user  interface  types.

o Multiple-­document  interface  (MDI)  which  allows  to  open  unlimited  number  of  event  logs  and  place  all of  them  in  the  main  window  of  EFT.

o Tabbed-­document  interface  (TDI)  that  allows  to  open  unlimited  number  of  event  logs  and  provide  the best  navigation  between  logs  way.

• Pre-­filter  Windows  event  logs  (log  loading  options)

With  EFT  you  may  load  events  from  dozens  of  Windows  servers  and  workstations  simultaneously.  Normally,  you don't  need  to  load  all  events  from  all  logs  and  log  loading  options  help  you  to  pre-­filter  events  at  loading  stage  (e.g. to  exclude  information  events  or  to  load  only  recent  events).

• Advanced  filtering

Events  can  be  filtered  by  any  criteria  including  event  description  text.  Filters  can  be  saved  as  a  files  and  reused  to filter  to  other  event  logs.  You  can  use  regular  expressions  (Regexps)  to  filter  by  event  description  text.  EFT  lets you  link  events  by  event  ID  and  description  parameters  and  filter  out  all  other  events.  Linked  event  filtering  feature helps  analyzing  Security  log.

• Grouping  favorite  computers  and  their  logs  into  a  tree

(5)

• Backup  of  Windows  event  logs

Event  logs  backup  is  an  important  task.  Large  event  logs  may  affect  system  performance,  and  system

administrators  can’t  rotate  them  to  cut  down  their  size  which  means  in  this  case  they  wont  be  able  to  analyze  past events.  The  appropriate  solution  is  to  limit  the  size  of  MS  Windows  event  logs,  and  back  them  up  on  regular  basis.

EFT  allows  you  to  save  event  logs  as  event  log  files  manually  or  automatically  by  scheduling  backup  time.

• Fast  bookmarks  navigation

Modern  Internet  browsers  allow  you  to  save  favorite  URLs as  bookmarks  that  can  be  easily  restored.  Similarly  Events Forensic  Tools  allows  you  to  bookmark  and  easily  return to  these  events  at  anytime.

• Popular  event  knowledge  bases  compatibility

Sometimes  user  can  get  more  information  about  an  event in  the  public  event  knowledge  bases.  EFT  supports EventID.net  and  Microsoft  knowledgebase.

• Color  coding  by  Event  ID

Color  coding  allows  to  easily  distinguish  between  different events.  User  can  change  text  color,  font  style  and

background  color  for  specific  events.

• Printing  and  exporting  in  different  formats

With  EFT  you  can  print  MS  Windows  event  logs  and  export  in  other  formats.  Printing  options  let  you  select  one  of several  printing  styles.  EFT  currently  supports  export  to  HTML,  tab-­separated  files  and  MS  Excel  documents.

• Analytical  reports  -­  summary  tables  and  pivot  charts

(6)

• Reading  damaged  EVT  files  and  generating  EVT  files  from  selected  events

EFT  can  access  EVT  files  directly  (without  MS  Windows  Event  Log  API).  This  allows  reading  damaged  event  logs

and  event  logs  when  MS  Windows  Event  Log  service  is  not  available  (e.g.  in  BartPE  or  other  preinstalled environment).  You  can  also  generate  your  own  EVT  files.

• Reading  new  EVTX  files  on  old  MS  Windows  versions

EFT  can  access  EVTX  files  directly  (without  new  MS  Windows  Event  Log  API).  This  allows  you  to  open  new  event

log  files  (EVTX)  on  any  computer,  i.e.  with  EFT  you  can  read  EVTX  files  on  Windows  XP  machines. • Scheduling  to  run  event  log  tasks

EFT  can  automate  some  tasks  using  built-­in  scheduler.  For  example,  to  schedule  event  log  export  or  print  tasks.

• Credential  manager

For  opening  an  event  log  from  a  remote  server  or  workstation,  EFT  will  use  your  current  credentials  for  accessing, but  sometimes  you  may  need  alternative  credentials  to  access  remote  event  logs.  Credential  manager  stores different  credentials  for  each  machine  and  use  them  when  you  are  opening  a  remote  MS  Windows  event  log. • Sorting  event  list  by  any  column  and  in  any  direction

Similar  to  MS  Windows  Event  Viewer,  EFT  lets  you  sort  event  list  by  any  column  -­  just  click  on  the  column  header, and  event  list  will  be  re-­sorted  immediately.  If  you  double-­click  it,  the  event  list  will  be  resorted  in  the  backward direction.  In  the  EFT  preferences,  you  can  set  the  default  sorting  which  will  be  applied  when  you  opening  a  log. • Time  correction

As  standard,  Event  time  is  stored  as  UTC  time.  When  you  open  a  log  generated  on  a  remote  server  located  in different  time-­zone,  you  may  want  to  move  virtually  to  that  time-­zone  and  view  events  from  there.  Time  correction lets  you  to  view  event  from  any  time  zone.

• Servers  import

Importing  a  large  network  from  one  to  other  software  solution  is  a  complicated  job.  To  import  a  network  of  any  size to  EFT,  you  can  create  a  list  of  your  servers  and  workstations  and  EFT  will  do  the  rest  by  import  them  all  or  simply

References

Download now ( PDF - 6 Page - 1.38 MB )

Related documents

Human Leukocyte Antigen-Class I Alleles and the Autoreactive T Cell Response in Psoriasis Pathogenesis

The unbiased analysis of a paradigmatic V α3S1/Vβ13S1-T-cell receptor from a pathogenic epidermal CD8 + T-cell clone of an HLA-C*06:02 + psoriasis patient had revealed

400 years of true murder and mayhem: POPULAR CRIME by Bill James

The police played out most of their energy on the secret boyfriend and rejected suitor theories, leading nowhere. The most widely accepted theory in the weeks after the crime was

Multiple-Period Attribution: Residuals and Compounding

lytical framework designed to overcome the deficien- cies in single-country attribution models. Its usefulness in attributing a global portfolio manager’s returns to mar- ket,

Banks' payments-driven revenues

By adding up all the pieces of revenue identified. we find that payments services contribute as much as $59.2 billion, or 42.2 percent, to the combined operating revenue of

Canopy chlorophyll estimation with hyperspectral remote sensing

(2003a) further studied the application of remote sensing to estimate chlorophyll content on irrigated and rainfed cropland and designed a concept model of chlorophyll estimation

Performance of Promising Hybrid Rice in Two Different Elevations of Irrigated Lowland in Indonesia

Meanwhile, Sukamandi which has Alluvial soil type and altitude 16 m above sea level; the path analysis result indicated that the number of panicles per hill and the

Simulating strongly correlated quantum systems with tree tensor networks

correlated systems with long-range interactions on a tree network with arbitrary coordination number z. Our ap- proach is based on a tensor product state ansatz that generalizes

The Role of Ventromedial Prefrontal Cortex in Mental Time Travel and Mind Wandering

In experiment 2 (chapter 6), to test whether vmPFC is crucial for episodic future thinking (EFT), or it is critical for supporting the construction of any kind of atemporal complex