Tag Archives: digital forensics

Process tracking with Event Log Explorer

When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use… Read More »

Tracking down who removed files

Let’s assume you have a shared folder on a server which is accessible by all employees in your company. The users commonly copy some documents into this folder to let the others to work with these shared documents. One day you discover that some files unexpectedly disappeared from the shared folder. Usually this means that someone deleted these files (consciously or unconsciously). Now we need to… Read More »

9 Vendors of Digital Forensics You May Have Missed. Part 2

In the previous post we talked about 010 Editor, Event Log Explorer, ElcomSoft and Oxygen forensic solutions. In this blog post, we continue the brief review of prominent forensic tools. Next on our list is Belkasoft. Belkasoft Evidence Center 2016 Belkasoft Evidence Center is an all-around forensic solution to pinpoint, extract and review digital evidence stored on desktop computers, laptops and mobile devices. The Belkasoft product… Read More »

Event Log Explorer Forensic Edition Preview

Several days ago, we published a preview of the new edition of Event Log Explorer software – Forensic Edition! Here I will show what benefits you can get from this edition. First, I should say that currently it is fully compatible with the standard edition of Event Log Explorer – it uses the same workspace, the same settings and currently the same registration key. By… Read More »

9 Vendors of Digital Forensics You May Have Missed. Part 1

Looking for a solid solution to unravel computer-stored evidence? Need a deeper insight into what’s happening on your PC or a suspect’s device, looking to restore or crack an essential password? Check out this brief review of unheralded yet powerful forensic tools. The most common definition of computer forensics is the procedure of detecting and analyzing evidence collected from digital media, i.e. hard drives, portable… Read More »

Forensics and Benford’s Law

As a producer of digital forensic software, we are regularly learning more about forensic methods and tasks. Recently I came across a curious article (and video) in Business Insider called “How forensic accountants use Benford’s Law to detect fraud” The video states that forensic guys can use Benford’s Law to analyze financial data and identify red flags. This sounds interesting because it is too easy to… Read More »

Logon type – what does it mean?

In my previous post, I explained how to display logon type for logon events in Security log and described meaning of some values. Here I will give you more information about logon types. The descriptions of some events (4624, 4625) in Security log commonly contain some information about “logon type”, but it is too brief: The logon type field indicates the kind of logon that occurred.… Read More »

Exploring who logged on the system

One of the most important tasks in the security event log analysis is to find out who or what logs your system on. Here I will explain how Event Log Explorer helps you to solve this task. First, you need to make sure that Windows security auditing is enabled for logon events. You can do this using Local Security Policy or Group Policy, depending on… Read More »