Question

Use these textbooks to answer the questions;

Chapter 5 in Windows Forensic Analysis DVD Toolkit

2nd Edition Chapter 5 in Mastering Python Forensics.

Note: Use both textbooks above and collected reliable online resources for your answers (you may utilize the tools mentioned in the textbook or other alternative tools on the internet). All external resources must be listed as references at the end of this document.

1. Briefly describe what and how events are logged in the OS you are using.

2. How do you configure auditing policy? Is auditing policy important in forensics? Why?

Answer 1

1. Briefly describe what and how events are logged in the OS you are using.

Answer: Logs are records of events that happen in your computer, either by a person or by a running process. They help you track what happened and troubleshoot problems. The Windows event log contains logs from the operating system and applications such as SQL Server or Internet Information Services (IIS). The logs use a structured data format, making them easy to search and analyze. Some applications also write to log files in text format. For example, IIS Access Logs. Windows Event Viewer displays the Windows event logs. This application to view and navigate the logs, search and filter particular types of logs, export logs for analysis, etc.

2. How do you configure auditing policy? Is auditing policy important in forensics? Why?

Answer: Configuring auditing policy:

• From the Domain Controller, click Start, point to Administrative Tools, and then Group Policy Management.
• From the console tree, click the name of your forest > Domains > your domain, then right-click on the relevant Default Domain or Domain Controllers Policy (or create your own policy), and then click Edit.
• Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy, then double-click on the relevant policy setting.
• In the right pane, right-click on the relevant Subcategory, and then click Properties.
• Select Success, Failure, or both from the audit events checkbox and then click OK.

Auditing policy is important in forensics, A forensic audit is an examination and evaluation of a firm's or individual's financial records to derive evidence that can be used in a legal proceeding. A forensic audit may be conducted to prosecute a party for fraud, embezzlement, or another criminal behavior. A forensic audit/examination is designed to focus on reconstructing past financial transactions for a specific purpose, such as concerns of fraud, whereas an internal audit is typically focused more on compliance and/or the performance of the organization.