WORKSHOP 5Monday 27 May 2019 - Focus Rooms, Sunninghill

Find what lurks inside – a quick and dirty dive into event log analysis

Jason Jordaan, Principal Forensic Analyst & Veronica Schmitt, Lead Forensic Analyst DFIR Labs

Once an incident has taken place in your organisation, it is important to respond to it and hunt for clues as to what happened within your environment. The importance of understanding how the adversary has moved around within your environment is of vital importance. For every action in an environment there is an equal but opposite reaction. This means that every step taken by a malicious process or adversary is leaves behind a footprint in the form of logs within the event logs of an operating system.

Knowing these logs exist allows for the hunting of the unexpected or the abnormal within them. Understanding what is normal for your network allows you to solve the puzzle of what does not belong. In this half day workshop, emphasis will be placed on the examination of system-generated logs, the process of tracking events, reviewing of security event logs and the use of additional open source logging which can be added to your environment. This enhanced logging will enable you to significantly enhance your visibility of illicit or malicious movement in your environment.

We will also deep-dive into the examination of additional file system artifacts which enhance your event log analysis for incident response. These include (but are not limited to) the examination and recovery of registry and event logs files if they have been deleted. Log analysis is a very important part of forensics and incident response. Whilst conducting an Incident Response exercise it is important to understand which logs are relevant to the incident that has taken place and to not examine everything. The success of any examination depends on being precise, concise and knowing where the evidence will be located. This workshop is given at both a high level and a technical one, with a good balance between theory and practice. This is a workshop like no other and will be fast paced and feel quite similar to drinking from a proverbial fire hydrant!

By attending this workshop you will gain:

  • An understanding of the format of event logs and the examination of them
  • An understanding of incidents and their events triggered
  • The ability to set up of event log recordings to ensure that all needed logs are collected within your environment
  • Understanding the collection of event logs for analysis and the preservation of these logs
  • Understanding the examination of event ids associated with specific types of incidents
  • The ability to build your capacity to examine event logs and the underlying support system needed

Who should attend:

  • Security professionals wanting to learn more about incident response
  • Red team members wanting to learn what their actions on a system leave behind
  • Blue team members wanting to learn how to identify what has taken place using event logs
  • Incident response and forensic professionals wanting to catch up on the latest identification techniques using a new approach
  • CISOs /security management staff hoping to understand incident response and how it can be used in their organisation

What to bring:

  • You will need to bring with you a laptop with the Windows 10 operating system and have a basic understanding of the Windows environment.


Registration and lunch
Refreshments and networking
Close of workshop
  • Session One: Lab setup to examine event logs
  • Session Two: Introduction to event log management
  • Session Three: Examination of event log types and structure
  • Session Four: Remote Access scenarios and associated events
  • Session Five: Remote Execution scenarios and associated events
  • Session Six: Unauthorised access and events associated with logon
  • Session Seven: Failure and critical service error reports
  • Session Eight: Bringing it all together and closure
  • Session Nine: Practical team challenge: 'solve the incident'

Event Sponsor

Diamond Sponsor

Platinum Sponsors

Security Survey & Executive Roundtable Sponsor

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Display Sponsors

Showcase Sponsor


Endorsed by


pDBException: [1]: Database not defined