Most of the default configuration controls that Windows can potentially put in place are to enable system logs. The following is the list of logs that can be enabled by any organization to utilize information during an incident/forensic analysis:

• Credential validation
• Computer account management
• Distribution group management
• Other account management level
• Security group management
• User account management
• Process creation
• Directive service access and changes
• Account lockout/logoff/logon/special logon
• Removable storage
• Policy changes
• Security state changes

This provides a clear view of what types of logs the penetration testers must consider clearing after the exploit phase in our kill chain methodology.