mastering windows network forensics and investigation chapter 13: logon and account logon events
TRANSCRIPT
Chapter Topics:
• Logon vs. Account Logon Events
• Authentication in a Domain Environment
• Logging within a Domain Environment
Logon vs. Account Logon
• Logon Events– Event ID 5xx (Windows XP)– Event ID 46xx (Windows Vista +)– Log Access to a resource
• Account Logon Event– Event ID 6xx (Windows XP)– Event ID 47xx (Windows Vista +)– Log Authentication of credentials
Common Windows XP Logon Events
• 528 – Local logon
• 540 – Network Logon
• 538 – Logoff
• 529 – Failed Logon
Common Windows Vista +Logon Events
• 4624 – Local logon
• 4624 – Network Logon
• 4634 – Logoff
• 4625 – Failed Logon
Authentication
• Domain accounts are authenticated by DCs
• Local Accounts authenticated by local computer’s SAM
• Kerberos is default authentication method in a domain
• NTLM is default authentication method for local accounts
Kerberos Domain Authentication
Key Distribution
Center (Domain
Controller)
Client
1. Authenticatio
n request b
ased on username and password
2. KDC issues a TGT to
client
3. Client p
resents TGT to KDC with
request to
access client computer
4. KDC issues service tic
ket to client valid fo
r file server
5. Based on the properly issued service ticket, the client computer grants the logon request
Common Account Logon Events (Win XP)
• 672 – TGT issued
• 673 – Service Ticket issued
• 675 – Failed Kerberos Authentication
• 680 – NTLM authentication event
Common Account Logon Events(Win Vista +)
• 4768 – TGT issued
• 4769 – Service Ticket issued
• 4771 – Failed Kerberos Pre-Authentication
• 4776 – NTLM authentication event
Domain Logging of a Client being used to Access a File Server
• 672
• 673 (Client)
• 673 (DC)
• 673 (krbtgt)
• 540
• 538
• 673 (File Server)
• 4768
• 4769 (Client)
• 4769 (DC)
• 4769 (krbtgt)
• 4624
• 4634
• 4769 (File Server)
Domain Controller
• 4624 • 528
• 4624
• 4634
• 540
• 538
Client Computer
File Server
Vista + Win XP
Vista + Win XP
Vista + Win XP