SlideShare a Scribd company logo

Recovering Information From Deleted Security Event Logs Ctin

CTIN
CTIN
BusinessTechnology
1 of 31
Recovering Information from Deleted Security E vent Logs Troy Larson Senior Forensic Investigator Microsoft Corporation
Introduction ? How to find and recover useful information from deleted security event logs (fragments). ? Considering initial search strings. ? Identifying and reading event log internals. ? Making refined and targeted search terms.
Windows Event Log Basics ? What the Event Viewer displays as an event log is actually a construct of: ? An event log file (*.evt). ? The registry. ? “Message files.” ? HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services Eventlog
*.evt + Registry + Message = Log
Security Event Log- Event Viewer
SecEvent.evt
Security E vent Log Recovery ? Much of the important event information in the Security event log is contained within the SecEvent.evt file itself. ? Event ID ? User ? Computer ? The Security Event Log relies less on message files than System and Application Event logs.
Finding SecEvent.evt fragments
Finding SecEvent.evt fragments ? Search for text strings. ? Computer name: “REX ” ? Event log name: “Security” ? “LfLe” or 0x 4C 66 4C 65 (Record Header?) ? Other terms: “MSGina,” “AUTHENTICATION,” etc. ? Note: Terms are in Unicode (except LfLe).
Reading SecE vent.evt fragments ? Microsoft documentation: ? MSDN online library: “EVENTLOGRECORD”
Reading SecE vent.evt fragments DWORD Length 4 Bytes DWORD Reserved 4 Bytes DWORD Record Number 4 Bytes DWORD Time Generated 4 Bytes DWORD Time Written 4 Bytes DWORD Event ID 4 Bytes WORD Event Type 2 Bytes WORD NumStrings 2 Bytes WORD Event Category 2 Bytes WORD Reserved Flags 2 Bytes DWORD Closing Record Num. 4 Bytes DWORD String Offset 4 Bytes DWORD User Sid Length 4 Bytes DWORD User Sid Offset 4 Bytes DWORD Data Length 4 Bytes DWORD Data Offset 4 Bytes http://msdn.microsoft.com/library/en- us/debug/base/ eventlogrecord_str.asp
Reading SecE vent.evt fragments Length = 4 Bytes
Reading SecE vent.evt fragments Length = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x B0 00 00 00 = 176 Length = 176 Bytes
Reading SecE vent.evt fragments Length = 176 Bytes
Reading SecE vent.evt fragments Next 4 Bytes Reserved 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x 4C 66 4C 65 = L fLe
Reading SecE vent.evt fragments Next 4 Bytes Reserved
Reading SecE vent.evt fragments Record Number = 4 Bytes
Reading SecE vent.evt fragments Record Number = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x FA F5 05 00 = 390650 Record Number = 390650
Reading SecE vent.evt fragments Record Numbers
Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
Reading SecE vent.evt fragments • Time Generated = 4 Bytes • Time Written = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 0x AA 54 1D 42 = 2/ 24/ 2005 04:14:34 UTC Must convert time values to local time.
Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
Reading SecE vent.evt fragments Event ID = 4 Bytes
Reading SecE vent.evt fragments Event ID = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 11 02 00 00 0x 11 02 00 00 = 529 E vent ID = 529 Event ID 529 Unknown User Name Or Bad Password http://support.microsoft.com/default.aspx?scid= kb;en- us;174074
Reading SecE vent.evt fragments String Offset = 4 Bytes
Reading SecE vent.evt fragments String Offset = 4 Bytes 29497072 | 00 00 00 00 5E 00 00 00 0C 00 00 00 52 00 00 00 0x 5E 00 00 00 = 94 String Offset = 94
Reading SecE vent.evt fragments String Offset = 94 Bytes
Reading SecE vent.evt fragments Refining and targeting search terms
Reading SecE vent.evt fragments Refining and targeting search terms
Reading SecE vent.evt fragments Refining and targeting search terms. ? User Names in Unicode ? Domain names in Unicode ? IP Addresses in Unicode ? Event IDs in Hex ? Time stamps in Hex
Recovering Information from Deleted Security E vent Logs Questions? Troy Larson troyla@ microsoft.com

Recommended

Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Bleeding secrets
Bleeding secretsBleeding secrets
Bleeding secretsOfer Rivlin, CISSP
 
Introductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingIntroductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingAngelo Salatino
 
File000126
File000126File000126
File000126Desmond Devendran
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1Jaehyeuk Oh
 
Voice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioVoice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioKevin Avila
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1UTD Computer Security Group
 
Comparison
ComparisonComparison
ComparisonLuckylocks Ltd
 

Recommended

Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Bleeding secrets
Bleeding secretsBleeding secrets
Bleeding secretsOfer Rivlin, CISSP
 
Introductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingIntroductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingAngelo Salatino
 
File000126
File000126File000126
File000126Desmond Devendran
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1Jaehyeuk Oh
 
Voice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioVoice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioKevin Avila
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1UTD Computer Security Group
 
Comparison
ComparisonComparison
ComparisonLuckylocks Ltd
 
Idesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco Oy
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopImpala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopAll Things Open
 
Firebird Performance counters in details
Firebird Performance counters in detailsFirebird Performance counters in details
Firebird Performance counters in detailsMind The Firebird
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Automating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingAutomating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingRoy Zimmer
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with EsperAntónio Alegria
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Nra
NraNra
NraCTIN
 

More Related Content

Similar to Recovering Information From Deleted Security Event Logs Ctin

Idesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco Oy
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopImpala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopAll Things Open
 
Firebird Performance counters in details
Firebird Performance counters in detailsFirebird Performance counters in details
Firebird Performance counters in detailsMind The Firebird
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Automating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingAutomating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingRoy Zimmer
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with EsperAntónio Alegria
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 

Similar to Recovering Information From Deleted Security Event Logs Ctin (10)

Idesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial Presentation
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopImpala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for Hadoop
 
Firebird Performance counters in details
Firebird Performance counters in detailsFirebird Performance counters in details
Firebird Performance counters in details
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report
 
Automating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingAutomating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell Scripting
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with Esper
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 

More from CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Nra
NraNra
NraCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 

More from CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 

Recently uploaded

Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwaitdaisycvs
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfwill854175
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...meghakumariji156
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingNauman Safdar
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAITim Wilson
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified Binance Account
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165meghakumariji156
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateCannaBusinessPlans
 
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030tarushabhavsar
 
Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance managementVaishnaviGunji
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challengeshemanthkumar470700
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...NadhimTaha
 

Recently uploaded (20)

Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From Seosmmearth
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
 
Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance management
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 

Recovering Information From Deleted Security Event Logs Ctin

  • 1. Recovering Information from Deleted Security E vent Logs Troy Larson Senior Forensic Investigator Microsoft Corporation
  • 2. Introduction ? How to find and recover useful information from deleted security event logs (fragments). ? Considering initial search strings. ? Identifying and reading event log internals. ? Making refined and targeted search terms.
  • 3. Windows Event Log Basics ? What the Event Viewer displays as an event log is actually a construct of: ? An event log file (*.evt). ? The registry. ? “Message files.” ? HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services Eventlog
  • 4. *.evt + Registry + Message = Log
  • 5. Security Event Log- Event Viewer
  • 7. Security E vent Log Recovery ? Much of the important event information in the Security event log is contained within the SecEvent.evt file itself. ? Event ID ? User ? Computer ? The Security Event Log relies less on message files than System and Application Event logs.
  • 9. Finding SecEvent.evt fragments ? Search for text strings. ? Computer name: “REX ” ? Event log name: “Security” ? “LfLe” or 0x 4C 66 4C 65 (Record Header?) ? Other terms: “MSGina,” “AUTHENTICATION,” etc. ? Note: Terms are in Unicode (except LfLe).
  • 10. Reading SecE vent.evt fragments ? Microsoft documentation: ? MSDN online library: “EVENTLOGRECORD”
  • 11. Reading SecE vent.evt fragments DWORD Length 4 Bytes DWORD Reserved 4 Bytes DWORD Record Number 4 Bytes DWORD Time Generated 4 Bytes DWORD Time Written 4 Bytes DWORD Event ID 4 Bytes WORD Event Type 2 Bytes WORD NumStrings 2 Bytes WORD Event Category 2 Bytes WORD Reserved Flags 2 Bytes DWORD Closing Record Num. 4 Bytes DWORD String Offset 4 Bytes DWORD User Sid Length 4 Bytes DWORD User Sid Offset 4 Bytes DWORD Data Length 4 Bytes DWORD Data Offset 4 Bytes http://msdn.microsoft.com/library/en- us/debug/base/ eventlogrecord_str.asp
  • 12. Reading SecE vent.evt fragments Length = 4 Bytes
  • 13. Reading SecE vent.evt fragments Length = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x B0 00 00 00 = 176 Length = 176 Bytes
  • 14. Reading SecE vent.evt fragments Length = 176 Bytes
  • 15. Reading SecE vent.evt fragments Next 4 Bytes Reserved 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x 4C 66 4C 65 = L fLe
  • 16. Reading SecE vent.evt fragments Next 4 Bytes Reserved
  • 17. Reading SecE vent.evt fragments Record Number = 4 Bytes
  • 18. Reading SecE vent.evt fragments Record Number = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x FA F5 05 00 = 390650 Record Number = 390650
  • 19. Reading SecE vent.evt fragments Record Numbers
  • 20. Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
  • 21. Reading SecE vent.evt fragments • Time Generated = 4 Bytes • Time Written = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 0x AA 54 1D 42 = 2/ 24/ 2005 04:14:34 UTC Must convert time values to local time.
  • 22. Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
  • 23. Reading SecE vent.evt fragments Event ID = 4 Bytes
  • 24. Reading SecE vent.evt fragments Event ID = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 11 02 00 00 0x 11 02 00 00 = 529 E vent ID = 529 Event ID 529 Unknown User Name Or Bad Password http://support.microsoft.com/default.aspx?scid= kb;en- us;174074
  • 25. Reading SecE vent.evt fragments String Offset = 4 Bytes
  • 26. Reading SecE vent.evt fragments String Offset = 4 Bytes 29497072 | 00 00 00 00 5E 00 00 00 0C 00 00 00 52 00 00 00 0x 5E 00 00 00 = 94 String Offset = 94
  • 27. Reading SecE vent.evt fragments String Offset = 94 Bytes
  • 28. Reading SecE vent.evt fragments Refining and targeting search terms
  • 29. Reading SecE vent.evt fragments Refining and targeting search terms
  • 30. Reading SecE vent.evt fragments Refining and targeting search terms. ? User Names in Unicode ? Domain names in Unicode ? IP Addresses in Unicode ? Event IDs in Hex ? Time stamps in Hex
  • 31. Recovering Information from Deleted Security E vent Logs Questions? Troy Larson troyla@ microsoft.com