Currently, many faced with hacker attacks. Harlan Karvey conducted an analysis of how the hackers were able to gain access to the computer, using standard logs Event Logs operating system. He uses his own program RegRipper with plug-ins for the analysis.
The author sets the details of the attack produced using standard logs. Timeline helped define what actions the attacker made in Windows 2003 the operating system.
Thus, as a result of his analysis, Harlan Carvey concluded that, using only a pair of source / ID recording events, we could see the creation and deletion of the user account, even if we did not have information about the process to confirm this for us. Removing an account occurred through a GUI tool (mmc.exe running compmgmt.msc), and all information on the establishment of the process shows us that the tool has been launched, which were not driven out button. Even without the metadata records the event log, we still had the information that we recovered from the unallocated space inside the hive SAM file.
You can find more info here.