• Home

  • Documents

  • Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events
20
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Tags:

Embed Size (px)

Citation preview

Page 1: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Mastering Windows Network Forensics and Investigation

Chapter 13: Logon and Account Logon Events

Page 2: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Chapter Topics:

• Logon vs. Account Logon Events

• Authentication in a Domain Environment

• Logging within a Domain Environment

Page 3: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Logon vs. Account Logon

• Logon Events– Event ID 5xx (Windows XP)– Event ID 46xx (Windows Vista +)– Log Access to a resource

• Account Logon Event– Event ID 6xx (Windows XP)– Event ID 47xx (Windows Vista +)– Log Authentication of credentials

Page 4: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Windows XP Logon Events

• 528 – Local logon

• 540 – Network Logon

• 538 – Logoff

• 529 – Failed Logon

Page 5: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Windows Vista +Logon Events

• 4624 – Local logon

• 4624 – Network Logon

• 4634 – Logoff

• 4625 – Failed Logon

Page 6: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Logon Events (WinXP)

Page 7: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Logon Events (WinXP)

Page 8: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Logon Events (Win Vista +)

Page 9: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Logon Events(Win Vista +)

Page 10: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Authentication

• Domain accounts are authenticated by DCs

• Local Accounts authenticated by local computer’s SAM

• Kerberos is default authentication method in a domain

• NTLM is default authentication method for local accounts

Page 11: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Kerberos Domain Authentication

Key Distribution

Center (Domain

Controller)

Client

1. Authenticatio

n request b

ased on username and password

2. KDC issues a TGT to

client

3. Client p

resents TGT to KDC with

request to

access client computer

4. KDC issues service tic

ket to client valid fo

r file server

5. Based on the properly issued service ticket, the client computer grants the logon request

Page 12: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events (Win XP)

• 672 – TGT issued

• 673 – Service Ticket issued

• 675 – Failed Kerberos Authentication

• 680 – NTLM authentication event

Page 13: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events(Win Vista +)

• 4768 – TGT issued

• 4769 – Service Ticket issued

• 4771 – Failed Kerberos Pre-Authentication

• 4776 – NTLM authentication event

Page 14: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events

Page 15: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events

Page 16: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events

Page 17: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events

Page 18: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events

Page 19: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Common Account Logon Events

Page 20: Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events

Domain Logging of a Client being used to Access a File Server

• 672

• 673 (Client)

• 673 (DC)

• 673 (krbtgt)

• 540

• 538

• 673 (File Server)

• 4768

• 4769 (Client)

• 4769 (DC)

• 4769 (krbtgt)

• 4624

• 4634

• 4769 (File Server)

Domain Controller

• 4624 • 528

• 4624

• 4634

• 540

• 538

Client Computer

File Server

Vista + Win XP

Vista + Win XP

Vista + Win XP


Logon Scripting

Logon Scripting

Documents
0.SAP Logon & Navigation

0.SAP Logon & Navigation

Documents
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs

Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs

Documents
Smart card logon

Smart card logon

Documents
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events

Documents
Sap Logon Group_v2

Sap Logon Group_v2

Documents
KIKOLIN LOGON TELESI TI GILO LOGON A CORONA VIRUS...1.5 mètre 1.5 mètre KIKOLIN LOGON TELESI TI GILO LOGON A CORONA VIRUS 1. Lalane könisi kulo, diŋitan liŋ ku pioŋ ku sabuni

KIKOLIN LOGON TELESI TI GILO LOGON A CORONA VIRUS...1.5 mètre 1.5 mètre KIKOLIN LOGON TELESI TI GILO LOGON A CORONA VIRUS 1. Lalane könisi kulo, diŋitan liŋ ku pioŋ ku sabuni

Documents
Open Memory Forensics Workshopdownloads.volatilityfoundation.org/omfw/2013/OMFW2013...1400PM Mastering TrueCrypt and Windows 8/Server Memory, MHL 1440PM All Your Social Media are Belong

Open Memory Forensics Workshopdownloads.volatilityfoundation.org/omfw/2013/OMFW2013...1400PM Mastering TrueCrypt and Windows 8/Server Memory, MHL 1440PM All Your Social Media are Belong

Documents
Forensics & Anti- Forensics

Forensics & Anti- Forensics

Documents
Logon Proxis

Logon Proxis

Documents
LOGON Project resource allocation.xlsx

LOGON Project resource allocation.xlsx

Documents
Logon w2k3serv

Logon w2k3serv

Documents
Chapter 13: Logon and Account Logon Events

Chapter 13: Logon and Account Logon Events

Documents
Futronic Logon Enterprise Edition

Futronic Logon Enterprise Edition

Documents
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence

Documents
SAP Screen Logon

SAP Screen Logon

Documents
How Interactive Logon Works

How Interactive Logon Works

Documents
COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

Documents
RETAIL CLIENT SUCCESS STORY - root9B€¦ · inside the corporate network to steal logon credentials a nd move to the POS network. ... Use comprehensive Digital Forensics and Incident

RETAIL CLIENT SUCCESS STORY - root9B€¦ · inside the corporate network to steal logon credentials a nd move to the POS network. ... Use comprehensive Digital Forensics and Incident

Documents
Crossmatch | DigitalPersona® Logon for Windows …docs.media.bitpipe.com/io_13x/io_137584/item... · Transform your Windows logon authentication protocol with DigitalPersona Logon

Crossmatch | DigitalPersona® Logon for Windows …docs.media.bitpipe.com/io_13x/io_137584/item... · Transform your Windows logon authentication protocol with DigitalPersona Logon

Documents
Corporate Logon Info

Corporate Logon Info

Technology
Mastering the Super Timeline - sans.org · • Blog author at the SANS forensics blog • Author of the blog: blog.kiddaland.net . SANS EU Forensics and Incident Response Summit Why

Mastering the Super Timeline - sans.org · • Blog author at the SANS forensics blog • Author of the blog: blog.kiddaland.net . SANS EU Forensics and Incident Response Summit Why

Documents
Lateral Movement Analysis - Forward Defense · Lateral Movement Analysis 7 While our book, Mastering Windows Network Forensics and Investigations, Second Edition, provides a detailed

Lateral Movement Analysis - Forward Defense · Lateral Movement Analysis 7 While our book, Mastering Windows Network Forensics and Investigations, Second Edition, provides a detailed

Documents
SAS Agent for Windows Logon 1.12 Configuration Guide · Installing SAS Agent for Windows Logon ... CHAPTER 3 Configuration ..... 22: SAS Agent for Windows Logon Configuration Management

SAS Agent for Windows Logon 1.12 Configuration Guide · Installing SAS Agent for Windows Logon ... CHAPTER 3 Configuration ..... 22: SAS Agent for Windows Logon Configuration Management

Documents
Mengganti Logon Screenlogout

Mengganti Logon Screenlogout

Documents
Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization

Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization

Documents
Logon to deonizamabad

Logon to deonizamabad

Documents
CCW Access and Logon

CCW Access and Logon

Documents
SAP Logon Connection Test

SAP Logon Connection Test

Documents
Disable windows logon password

Disable windows logon password

Technology