More FTK Filters

In my last post, I mentioned two useful FTK filters for quickly finding files of interest. Below are two more that may be helpful to a digital investigator examining a Microsoft Windows Server 2008 R2 server (may work on others, but I have not tried)

Remote Desktop Logs (there are other log files, but I found this filter to be very useful):

<?xml version="1.0" encoding="UTF-8"?>
<exportedFilter xmlns="http://www.accessdata.com/ftk2/filters"><filter name="W2K8 RDP Logs" matchCriterion="all" id="f_1000006" read_only="false" description="Windows Server 2008 RDP Logs"><rule position="0" enabled="true" id="a_9001" operator="starts_with_caseignore"><one_string value="Microsoft-Windows-TerminalServices"/></rule><rule position="1" enabled="true" id="a_9001" operator="contains_caseignore"><one_string value="%4Operational"/></rule><rule position="2" enabled="true" id="a_9001" operator="contains_caseignore"><one_string value="Manager"/></rule><rule position="3" enabled="true" id="a_9185" operator="is"><one_string value="evtx"/></rule></filter><attribute id="a_9001" type="string"><table>cmn_Objects</table><column>ObjectName</column></attribute><attribute id="a_9185" type="string"><table>cmn_ObjectFiles</table><column>Extension</column></attribute></exportedFilter>

Windows Firewall logs:

<?xml version="1.0" encoding="UTF-8"?>
<exportedFilter xmlns="http://www.accessdata.com/ftk2/filters"><filter name="W2K8 Windows Firewall Logs" matchCriterion="all" id="f_1000009" read_only="false" description="Microsoft-Windows-Windows Firewall With Advanced Security"><rule position="0" enabled="true" id="a_9001" operator="contains_caseignore"><one_string value="Microsoft-Windows-Windows Firewall With Advanced Security"/></rule></filter><attribute id="a_9001" type="string"><table>cmn_Objects</table><column>ObjectName</column></attribute></exportedFilter>
This entry was posted in Forensics and tagged , . Bookmark the permalink.

Leave a Reply