We all face it sooner or later. Some very confidential information is disclosed and the pressure is on to find out how it happened and who did it. In this real training for free ™ event we will explore the specific scenario of tracking down who accessed and disclosed confidential documents stored on a file server. I will show you how to find and correlate several different types of events from several different roles of Windows including:
- Authentication events from domain controllers
- Group membership changes from domain controllers
- File access events from file servers
- Share level access events from file servers
- Program execution events from workstations
This will be a highly technical event that dives deep into Windows auditing capabilities. We will look at 5 key Windows security log event IDs and demonstrate how to link them to each other to track down not only who accessed the file in question but when, from what computer, what program they used and how they got permissions to the file in the first place.
But as always I’ll also be clear about the limitations of what you can do with Windows and what you can't. In this case the tough part is with the management and interpretation of file access events and the fact that Windows events are isolated on each of the system described above.
There's ways to overcome all of this which of course I'll discuss. And in particular Alexey Korotich from our sponsor, Dell Software, will show you how their totally new version of Intrust not only eliminates the need to use cryptic Windows auditing but also allows you to join event logs with Active Directory and Windows configuration data and perform very sophisticated forensic queries from a extremely simple interface.
Please register now.