Windows 7 forensics event logs-dtl-r3


Published on

Published in: Technology

Windows 7 forensics event logs-dtl-r3

  1. 1. Digital Forensics and Windows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  2. 2. IntroductionVista/Windows 7 EventLogging:• New format *.evtx.• More, many more, event log files.• New system for collecting and displaying events.• New security event numbering.
  3. 3. Windows Event LogsBefore Vista—Event Log. Vista to present—Windows Event• The big three: Log. – System. • The big three: – Security. – System. – Application. – Security.• Binary file, .evt. – Application.• WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.*• Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. us/library/aa385780(v=VS.85).aspx *
  4. 4. Windows Event Logs C:WindowsSystem32winevtLogs
  5. 5. Windows Event LogsWhat is an event log?
  6. 6. Windows Event LogsAn event log is more than its .evtx file.• The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs.• The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
  7. 7. From *.evtx to Event Log Registry: HKLMSYSTEMControlSet001serviceseventlog*.evtx file MessageFile.dll Event Viewer
  8. 8. Windows Event Logs• Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
  9. 9. Windows Event Logs• Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
  10. 10. Windows Event Logs• Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
  11. 11. Windows Event Logs• Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
  12. 12. Windows Event Logs• Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
  13. 13. Windows Event Logs• Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values.HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator• The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
  14. 14. Windows Event Logs• Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
  15. 15. Windows Event LogsWorking with the Windows 7 Event Viewer
  16. 16. Windows Event Logs
  17. 17. Windows Event Logs
  18. 18. Windows Event Logs
  19. 19. Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
  20. 20. Windows Event Logs• Start by selecting the event source, as this will populate the other choices.
  21. 21. Windows Event Logs• Next, focus on Task categories—here, selecting logon and logoff.
  22. 22. Windows Event Logs• Finally, Keywords, here selecting Audit Failure and Audit Success.
  23. 23. Windows Event Logs The filtered view.
  24. 24. Windows Event Logs And now, the event logs.
  25. 25. Windows Event Logs• System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events.
  26. 26. Windows Event Logs
  27. 27. Windows Event Logs
  28. 28. Windows Event Logs
  29. 29. Windows Event Logs• Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isnt necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
  30. 30. Windows Event Logs
  31. 31. Windows Event Logs
  32. 32. Windows Event Logs• Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
  33. 33. Windows Event Logs 9 audit categories.
  34. 34. Windows Event LogsClicking on an audit category can provide you with an explanation ofwhat the category audits.
  35. 35. Windows Event Logs
  36. 36. Windows Event Logs
  37. 37. Windows Event Logs
  38. 38. Windows Event LogsFurther Information:
  39. 39. Windows Event Logs All those other logs.
  40. 40. Windows Event Logs
  41. 41. Windows Event Logs
  42. 42. Windows Event Logs
  43. 43. Windows Event Logs
  44. 44. Windows Event Logs
  45. 45. Windows Event Logs
  46. 46. Windows Event Logs
  47. 47. Windows Event Logs
  48. 48. Windows Event Logs• Emphasis: Usually on Security Events, but other event logs may have more to offer.• Event log are not typically the primary evidence. – Often too noisy.• Best used when other facts fix times, or implicate specific accounts or computers.• Often, most useful in a timeline with other items of significance.
  49. 49. Windows Event Logs