Scribd
Upload
128 views

Lab 6 Windows Forensics

This document provides instructions for two Windows forensics tasks: 1. Use the Windows Event Viewer to audit failed login attempts and cleared logs. Specific event log IDs are provided to filter for failed login and cleared log events. 2. Restore a volume shadow copy on a Windows VM to recover previously deleted files. Steps include enabling system protection, deleting a test file, creating a restore point, using vssadmin and mklink commands to mount and access the shadow copy folder containing the deleted file.

Uploaded by

Humera Gull
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
128 views

Lab 6 Windows Forensics

This document provides instructions for two Windows forensics tasks: 1. Use the Windows Event Viewer to audit failed login attempts and cleared logs. Specific event log IDs are provided to filter for failed login and cleared log events. 2. Restore a volume shadow copy on a Windows VM to recover previously deleted files. Steps include enabling system protection, deleting a test file, creating a restore point, using vssadmin and mklink commands to mount and access the shadow copy folder containing the deleted file.

Uploaded by

Humera Gull
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Lab 5 Windows Forensics

Task 1: Use Windows Event Viewer to audit failed Login + cleared logs:
1- First try to type the wrong password in Login, then try again with
correct credentials.
2- Open Event Viewer app.

3- Browse to Windows Logs, then choose Security.


4- Then press on “Filter Current Log” on the right-hand side.

Dr. Sarah Abu Ghazalah


5- Here, we need to audit failed login, we can use ID for failure login
as 4625.

Show me which status displayed to you??


Here is a list of codes for the status:

Dr. Sarah Abu Ghazalah


- Audit Clear Log attempt:
Activity: clear the log and then show me the auditing in Event viewer
that shows such an action. I clear log ID can be found in:
https://learn.microsoft.com/en-us/windows-server/identity/ad-
ds/plan/appendix-l--events-to-monitor

Task 2: Restore Volume shadow Copy

Volume Shadow Copy Service or VSS is a technology included in Microsoft Windows that allows
taking manual or automatic backup copies or snapshots of computer files or volumes, even when
they are in use.

1- We need to enable (system restore )on Windows VM. In the search bar type system
Protection.

Dr. Sarah Abu Ghazalah


2- Click on Create a restore point.
3- Click on C drive and Click on Configure.

4- Choose Turn on system protection>>move the cursor in Max Usage to specify the volume
size>>Apply>> Ok

Dr. Sarah Abu Ghazalah


5- Delete any folder you have on Desktop, and then deletes it from Recycle bin.
6- Go to System Protection screen again, click on Create, type “test” then wait till it is done.

Dr. Sarah Abu Ghazalah


7- Open Command Prompt (Run as Administrator) and type the following command:
vssadmin list Shadows /for=C:

8- You will find that the shadow is created.


9- Type the following command to mount the shadow in your VM machine:
mklink /d C:\Users\IEUser\Downloads\shadow-copy2
\\?\GLOBALROOT\DEvice\HarddiskVolumeShadowCopy1\

10- Go to Downloads folder, and open the shadow folder:

Dr. Sarah Abu Ghazalah


11- you will find all the files in the C drive, including the folder you deleted in Desktop.

Dr. Sarah Abu Ghazalah

You might also like