1
00:00:01,870 --> 00:00:07,430
Before them and move on to computer forensics a focus a bit on interpreting event values.

2
00:00:08,690 --> 00:00:14,390
Planning attack recovery strategies need to be mindful of the comments given in the slide below.

3
00:00:17,590 --> 00:00:24,070
It's crucial to be aware of all failed user attempts to access specified directories the ideal computer

4
00:00:24,070 --> 00:00:26,970
system doesn't return any know answers.

5
00:00:26,980 --> 00:00:28,360
The service failed.

6
00:00:28,360 --> 00:00:29,380
There is no.

7
00:00:29,560 --> 00:00:32,040
No results found et cetera.

8
00:00:34,800 --> 00:00:40,970
In the ideal system each server only connects to the server he should connect to and the selected server

9
00:00:40,970 --> 00:00:45,170
is always available and provides services without any downtime.

10
00:00:45,290 --> 00:00:48,240
In this system users don't go beyond what they should do.

11
00:00:50,900 --> 00:00:54,330
But in the real world there will always be no answers.

12
00:00:54,380 --> 00:00:55,580
The service failed.

13
00:00:55,580 --> 00:00:57,170
You don't have privileges.

14
00:00:57,170 --> 00:00:58,490
Connection is wrong.

15
00:01:00,740 --> 00:01:06,490
This is exactly the type of events that are relevant for security management.

16
00:01:06,510 --> 00:01:11,700
We have to audit failed object access events events ID 560

17
00:01:22,160 --> 00:01:24,610
as far as user control is concerned.

18
00:01:24,620 --> 00:01:29,240
Pay close attention to password change attempts.

19
00:01:29,240 --> 00:01:35,090
Note that this event is not exclusively related to password expirations enforced by a security policy.

20
00:01:37,670 --> 00:01:43,340
This attempt could also indicate that an attacker is trying to crack a password or has cracked it already

21
00:01:43,400 --> 00:01:49,010
and is now attempting to change it and make further use of the account he has taken over.

22
00:01:49,010 --> 00:01:50,540
These events have to be monitored

23
00:01:58,230 --> 00:02:01,440
events 7:54 is even more alarming.

24
00:02:01,440 --> 00:02:03,610
It's a password reset event.

25
00:02:03,720 --> 00:02:09,600
A reset is different from a password change in that a change requires a user to know the current password

26
00:02:12,280 --> 00:02:17,830
in one of the next lectures will focus on the consequences of generating a new user security key in

27
00:02:17,830 --> 00:02:21,400
Windows.

28
00:02:21,450 --> 00:02:24,250
The key is used to secure some types of data.

29
00:02:24,720 --> 00:02:32,690
For example the files that are encrypted by a user If an administrator resets the user's password.

30
00:02:32,870 --> 00:02:36,320
This entails that the encrypted files will stay encrypted forever.

31
00:02:45,790 --> 00:02:51,030
Event Succineidae relates to restoring an active directory controller password.

32
00:02:51,200 --> 00:02:59,030
The password is submitted during an installation of Active Directory in the DC promo tool this is an

33
00:02:59,030 --> 00:03:02,870
account that enables local access to a server.

34
00:03:02,960 --> 00:03:08,700
We know already that any person who has local access to a server is de-facto that server's administrator

35
00:03:17,160 --> 00:03:17,590
next.

36
00:03:17,590 --> 00:03:20,320
There are events related to global and local groups

37
00:03:29,810 --> 00:03:33,300
events six to four indicates that a new account has been created.

38
00:03:36,230 --> 00:03:42,710
Unrestricted ability to create new objects in a system for example user accounts should never generally

39
00:03:42,710 --> 00:03:43,650
be allowed.

40
00:03:46,440 --> 00:03:51,460
A formal procedure that specifies the conditions for setting up accounts has to be enforced.

41
00:04:00,930 --> 00:04:05,780
The second class of events will take a look at is related to the modification of the data that is logged

42
00:04:10,840 --> 00:04:13,480
event 5:16 indicates that the log is full

43
00:04:16,550 --> 00:04:19,120
5:17 occurs when the log is cleared.

44
00:04:22,010 --> 00:04:25,790
520 is a change of the system time.

45
00:04:25,810 --> 00:04:31,090
This can seem like a trivial thing but notice that the data recorded in the logs will form a basis for

46
00:04:31,090 --> 00:04:32,310
further actions.

47
00:04:33,900 --> 00:04:41,410
It could also constitute evidence of an attack all events saved in the logs come with the time of occurrence.

48
00:04:42,150 --> 00:04:45,780
Which is local system time.

49
00:04:45,810 --> 00:04:49,230
You can't simply assume 11 p.m. at the time of an event.

50
00:04:49,440 --> 00:04:54,480
Since you can't rule out that someone might have changed the system clock at that hour the real hour

51
00:04:54,480 --> 00:05:00,320
could have been for example 6 a.m. the time Mary calls in that case of an hour's

52
00:05:03,250 --> 00:05:09,320
air 5:21 is a system error that causes the law to fail to record new events.

53
00:05:11,010 --> 00:05:13,440
This should never be found in security logs.