What Event Logs? Part 1: Attacker Tricks to Remove Event Logs

Many analysts rely on Windows Event Logs to help gain context of attacker activity on a system, with log entries serving as the correlative glue between additional artifacts. But what happens when the attackers find ways to remove the logs, or worse, stop the logs from writing? We must find a way to adapt. In part 1 of this series, SANS instructor and incident responder Matt Bromiley focuses on techniques, old and new, that attackers are using to neutralize event logs as a recording mechanism. Ranging from clearing of logs to surgical, specific event removal, in this webcast we will discuss how the attackers are doing what they're doing, and the forensic techniques we can use to detect their methods. There has been a lot of discussions lately about attackers' ability to fool the system into not writing event logs - but are our attackers truly staying hidden when they do this? Let's find out! We will also discuss the best steps your organization can take to ensure that your logs are being preserved and available for when you need them. Watch Part 2 of the webcast series here: https://youtu.be/H8ybADELHzk Event logs, is just one of the subjects covered in FOR508: Advanced Digital Forensics, Incident Response, & Threat Hunting course. For more information about the course please visit: http://www.sans.org/FOR508 Speaker Bio Matt Bromiley Matt Bromiley, is a SANS Digital Forensics and Incident Response instructor and a GIAC Advisory Board member. He is also a senior managing consultant at a major incident response and forensic analysis company, bringing together experience in digital forensics, incident response/triage and log analytics. His skills include disk, database, memory and network forensics, as well as network security monitoring. Matt has worked with clients of all types and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.