Categories
General IT Masters Tutorials

Producing and Analysing a Log File

You suspect somebody of secretly using your computer and you want to perform a forensic investigation to prove it. The event log in Windows is an extremely useful tool and records huge amounts of system data.

The event log could be used to show every start-up and shutdown over the last week; this would easily show if and when the computer was in use.

Follow the procedure below to show the event log:

  1. Click Start and then select Control Panel
  2. Click Administrative Tools and the choose Event Viewer.

EventViewer

From here you can see Application, System and Security logs for your machine.

There will be hundreds if not thousands of events recorded under each heading. You can create a custom view by using the option on the right hand side.

Choose the option to sort by log and choose Windows logs. Replace <All Event IDs> with ‘6005-6006’ to show system start-ups (6005) and shutdowns (6006).

CustomView

Once created, all of the event logs will be filtered to just show startups and shutdowns. Then you can see when your PC has been in use. All it won’t tell you is who used it!

FilteredLogs

Leave a Reply

Your email address will not be published. Required fields are marked *