Logs left after an attack

What kind of logs are left after an intrusion's been made into your system,I know about firewall logs but I heard that if you're on windows it's possible to detect an intrusion by looking at the kernel32.dll file.Comments people?

Kernel32.dll?????

I've never heard anything about that before... but as you stated, firewalls do leave logs....

Sadly, windows leaves very few logs of it's activity. A firewall should keep logs, and if you are running a 3rd party server then it too should leave logs (as long as you enable that option).

Thus, detecting an intrusion is a matter of firewall log checking, your server log checking, and looking at the system logs created by Windows. You can find those (weak) logs at start button > control panel > administrative tools > (forget the final option)

well,I heard them mention logs in kernel32.dll in this convention I attended a while back
And let me get this straight,if someone deletes my firewall logs and server logs,they're home free?lol,I prolly made it sound very easy huh?

Umm aren't we forgeting about sniffers, File/sys auditing, I could think of a few more things.

There is alot of useage for Kernel32.dll any number of API calls could be used to monitor certian things. I still don't see how just "by looking at the kernel32.dll file" will do much.

Quote:

---

Umm aren't we forgeting about sniffers, File/sys auditing, I could think of a few more things.

---

No, thus why I said 3rd party software must also be included. However, we were leaning more towards the default capability of Windows. And as for file/sys auditing, it's so fscked up on timestamps that I wouldn't trust a Windows-file timestamp if my life depended on it. How? A propery view changes access times. A copy and paste removes origonal modified on date.

Quote:

---

You can find those (weak) logs at start button > control panel > administrative tools > (forget the final option)

---

It's Event Viewer

Thanks cgk, memory was rusty on that part :)