Windows Event Forensic Process.

Event logs provide an audit trail that records user events and activities on a computer and are a potential source of evidence in digital forensic investigations. This paper presents a Windows event forensic process (WinEFP) for analyzing Windows operating system event log files. The WinEFP covers a number of relevant events that are encountered in Windows forensics. As such, it provides practitioners with guidance on the use of Windows event logs in digital forensic investigations.