Originally posted here by catch
If the system is configured correctly, this shouldn't be required. (What is the integrity of your logs? What users have access to those logs?) If it is required, check out the forensic server project and the CERT windows compromise response documents.

The following links should get you started (in this order):

http://www.shebeen.com/win32-forensics/index.html

http://www.windowsitlibrary.com/Cont...81/08/toc.html

http://www.cert.org/tech_tips/win-UN...ompromise.html

cheers,

catch
sorry forgot to mention, not every environment is perfect. I agree with you that if the system is configured correctly, i shouldn't have to use them. But just imagined that you are a forensic expert and you earn a living by providing forensics investigation when your customer suspect something happening to his/her computer and they called you to lead an investigation. surely you can't say "If the system is configured correctly, this shouldn't be required" to your customer rite? hehe...just a thought...