Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    Lab 6 Windows Forensics

    Uploaded by

    Humera Gull
    This document provides instructions for two Windows forensics tasks: 1. Use the Windows Event Viewer to audit failed login attempts and cleared logs. Specific event log IDs are provided to filter for failed login and cleared log events. 2. Restore a volume shadow copy on a Windows VM to recover previously deleted files. Steps include enabling system protection, deleting a test file, creating a restore point, using vssadmin and mklink commands to mount and access the shadow copy folder containing the deleted file.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Lab 6 Windows Forensics

    Uploaded by

    Humera Gull
    26 views7 pages
    This document provides instructions for two Windows forensics tasks: 1. Use the Windows Event Viewer to audit failed login attempts and cleared logs. Specific event log IDs are provided to filter for failed login and cleared log events. 2. Restore a volume shadow copy on a Windows VM to recover previously deleted files. Steps include enabling system protection, deleting a test file, creating a restore point, using vssadmin and mklink commands to mount and access the shadow copy folder containing the deleted file.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for two Windows forensics tasks: 1. Use the Windows Event Viewer to audit failed login attempts and cleared logs. Specific event log IDs are provided to filter for failed login and cleared log events. 2. Restore a volume shadow copy on a Windows VM to recover previously deleted files. Steps include enabling system protection, deleting a test file, creating a restore point, using vssadmin and mklink commands to mount and access the shadow copy folder containing the deleted file.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    26 views7 pages

    Lab 6 Windows Forensics

    Uploaded by

    Humera Gull
    This document provides instructions for two Windows forensics tasks: 1. Use the Windows Event Viewer to audit failed login attempts and cleared logs. Specific event log IDs are provided to filter for failed login and cleared log events. 2. Restore a volume shadow copy on a Windows VM to recover previously deleted files. Steps include enabling system protection, deleting a test file, creating a restore point, using vssadmin and mklink commands to mount and access the shadow copy folder containing the deleted file.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    Lab 5 Windows Forensics

    Task 1: Use Windows Event Viewer to audit failed Login + cleared logs:
    1- First try to type the wrong password in Login, then try again with
    correct credentials.
    2- Open Event Viewer app.

    3- Browse to Windows Logs, then choose Security.


    4- Then press on “Filter Current Log” on the right-hand side.

    Dr. Sarah Abu Ghazalah


    5- Here, we need to audit failed login, we can use ID for failure login
    as 4625.

    Show me which status displayed to you??


    Here is a list of codes for the status:

    Dr. Sarah Abu Ghazalah


    - Audit Clear Log attempt:
    Activity: clear the log and then show me the auditing in Event viewer
    that shows such an action. I clear log ID can be found in:
    https://learn.microsoft.com/en-us/windows-server/identity/ad-
    ds/plan/appendix-l--events-to-monitor

    Task 2: Restore Volume shadow Copy

    Volume Shadow Copy Service or VSS is a technology included in Microsoft Windows that allows
    taking manual or automatic backup copies or snapshots of computer files or volumes, even when
    they are in use.

    1- We need to enable (system restore )on Windows VM. In the search bar type system
    Protection.

    Dr. Sarah Abu Ghazalah


    2- Click on Create a restore point.
    3- Click on C drive and Click on Configure.

    4- Choose Turn on system protection>>move the cursor in Max Usage to specify the volume
    size>>Apply>> Ok

    Dr. Sarah Abu Ghazalah


    5- Delete any folder you have on Desktop, and then deletes it from Recycle bin.
    6- Go to System Protection screen again, click on Create, type “test” then wait till it is done.

    Dr. Sarah Abu Ghazalah


    7- Open Command Prompt (Run as Administrator) and type the following command:
    vssadmin list Shadows /for=C:

    8- You will find that the shadow is created.


    9- Type the following command to mount the shadow in your VM machine:
    mklink /d C:\Users\IEUser\Downloads\shadow-copy2
    \\?\GLOBALROOT\DEvice\HarddiskVolumeShadowCopy1\

    10- Go to Downloads folder, and open the shadow folder:

    Dr. Sarah Abu Ghazalah


    11- you will find all the files in the C drive, including the folder you deleted in Desktop.

    Dr. Sarah Abu Ghazalah

    You might also like