how to start windows forensic analysis in windows servers , Domain controllers .

Hi, You can start with event log and audit policy. The event logs record events that happen on the computer. Examining the events in these logs can help you trace activity, respond to events, and keep your systems secure. Meanwhile, establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. For example, the Audit account logon events policy setting enables auditing of each instance of user logon or logoff on a different computer than the one that records the event and validates the account. Success audits provide useful information for accounting purposes and for post-incident forensics so that you can determine who successfully logged on to which computer. For more information, please refer to the following articles: Event Log http://technet.microsoft.com/en-us/library/dd349798(WS.10).aspx Audit Policy http://technet.microsoft.com/en-us/library/cc766468(WS.10).aspx Strengthening Domain Controller Policy Settings http://technet.microsoft.com/en-us/library/cc773388(WS.10).aspx Regards, Bruce

Hi, You can start with event log and audit policy. The event logs record events that happen on the computer. Examining the events in these logs can help you trace activity, respond to events, and keep your systems secure. Meanwhile, establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. For example, the Audit account logon events policy setting enables auditing of each instance of user logon or logoff on a different computer than the one that records the event and validates the account. Success audits provide useful information for accounting purposes and for post-incident forensics so that you can determine who successfully logged on to which computer. For more information, please refer to the following articles: Event Log http://technet.microsoft.com/en-us/library/dd349798(WS.10).aspx Audit Policy http://technet.microsoft.com/en-us/library/cc766468(WS.10).aspx Strengthening Domain Controller Policy Settings http://technet.microsoft.com/en-us/library/cc773388(WS.10).aspx Regards, Bruce