Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Recovering Information
 from Deleted Security
     E vent Logs
                    Troy Larson
    Senior Forensic Investi...
Introduction
?   How to find and recover useful information
    from deleted security event logs (fragments).
      ?   Co...
Windows Event Log Basics

?   What the Event Viewer displays as an event
    log is actually a construct of:
      ?   An ...
*.evt + Registry + Message = Log
Security Event Log- Event Viewer
SecEvent.evt
Security E vent Log Recovery
? Much  of the important event information in the
 Security event log is contained within the...
Finding SecEvent.evt fragments
Finding SecEvent.evt fragments
? Search   for text strings.
  ? Computer name: “REX ”

  ? Event log name: “Security”

  ?...
Reading SecE vent.evt fragments
? Microsoft   documentation:
  ? MSDN online library: “EVENTLOGRECORD”
Reading SecE vent.evt fragments
      DWORD               Length                    4 Bytes
      DWORD               Rese...
Reading SecE vent.evt fragments
          Length = 4 Bytes
Reading SecE vent.evt fragments
                Length = 4 Bytes

29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D ...
Reading SecE vent.evt fragments
         Length = 176 Bytes
Reading SecE vent.evt fragments
             Next 4 Bytes Reserved
29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D...
Reading SecE vent.evt fragments
        Next 4 Bytes Reserved
Reading SecE vent.evt fragments
       Record Number = 4 Bytes
Reading SecE vent.evt fragments
          Record Number = 4 Bytes

29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D...
Reading SecE vent.evt fragments
          Record Numbers
Reading SecE vent.evt fragments
  Time Generated = 4 Bytes, Time Written = 4 Bytes
Reading SecE vent.evt fragments
• Time Generated = 4 Bytes
• Time Written = 4 Bytes
  29497040 | B0 00 00 00 4C 66 4C 65 F...
Reading SecE vent.evt fragments
  Time Generated = 4 Bytes, Time Written = 4 Bytes
Reading SecE vent.evt fragments
         Event ID = 4 Bytes
Reading SecE vent.evt fragments
                  Event ID = 4 Bytes
 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54...
Reading SecE vent.evt fragments
        String Offset = 4 Bytes
Reading SecE vent.evt fragments
             String Offset = 4 Bytes
29497072 | 00 00 00 00 5E 00 00 00 0C 00 00 00 52 00 ...
Reading SecE vent.evt fragments
        String Offset = 94 Bytes
Reading SecE vent.evt fragments
    Refining and targeting search terms
Reading SecE vent.evt fragments
    Refining and targeting search terms
Reading SecE vent.evt fragments

   Refining and targeting search terms.
   ?   User Names in Unicode
   ?   Domain names ...
Recovering Information from
Deleted Security E vent Logs


     Questions?
              Troy Larson
        troyla@ micro...
Upcoming SlideShare
Loading in …5
×

Recovering Information From Deleted Security Event Logs Ctin

9,620 views

Published on

Published in: Business, Technology

Recovering Information From Deleted Security Event Logs Ctin

  1. 1. Recovering Information from Deleted Security E vent Logs Troy Larson Senior Forensic Investigator Microsoft Corporation
  2. 2. Introduction ? How to find and recover useful information from deleted security event logs (fragments). ? Considering initial search strings. ? Identifying and reading event log internals. ? Making refined and targeted search terms.
  3. 3. Windows Event Log Basics ? What the Event Viewer displays as an event log is actually a construct of: ? An event log file (*.evt). ? The registry. ? “Message files.” ? HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services Eventlog
  4. 4. *.evt + Registry + Message = Log
  5. 5. Security Event Log- Event Viewer
  6. 6. SecEvent.evt
  7. 7. Security E vent Log Recovery ? Much of the important event information in the Security event log is contained within the SecEvent.evt file itself. ? Event ID ? User ? Computer ? The Security Event Log relies less on message files than System and Application Event logs.
  8. 8. Finding SecEvent.evt fragments
  9. 9. Finding SecEvent.evt fragments ? Search for text strings. ? Computer name: “REX ” ? Event log name: “Security” ? “LfLe” or 0x 4C 66 4C 65 (Record Header?) ? Other terms: “MSGina,” “AUTHENTICATION,” etc. ? Note: Terms are in Unicode (except LfLe).
  10. 10. Reading SecE vent.evt fragments ? Microsoft documentation: ? MSDN online library: “EVENTLOGRECORD”
  11. 11. Reading SecE vent.evt fragments DWORD Length 4 Bytes DWORD Reserved 4 Bytes DWORD Record Number 4 Bytes DWORD Time Generated 4 Bytes DWORD Time Written 4 Bytes DWORD Event ID 4 Bytes WORD Event Type 2 Bytes WORD NumStrings 2 Bytes WORD Event Category 2 Bytes WORD Reserved Flags 2 Bytes DWORD Closing Record Num. 4 Bytes DWORD String Offset 4 Bytes DWORD User Sid Length 4 Bytes DWORD User Sid Offset 4 Bytes DWORD Data Length 4 Bytes DWORD Data Offset 4 Bytes http://msdn.microsoft.com/library/en- us/debug/base/ eventlogrecord_str.asp
  12. 12. Reading SecE vent.evt fragments Length = 4 Bytes
  13. 13. Reading SecE vent.evt fragments Length = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x B0 00 00 00 = 176 Length = 176 Bytes
  14. 14. Reading SecE vent.evt fragments Length = 176 Bytes
  15. 15. Reading SecE vent.evt fragments Next 4 Bytes Reserved 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x 4C 66 4C 65 = L fLe
  16. 16. Reading SecE vent.evt fragments Next 4 Bytes Reserved
  17. 17. Reading SecE vent.evt fragments Record Number = 4 Bytes
  18. 18. Reading SecE vent.evt fragments Record Number = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x FA F5 05 00 = 390650 Record Number = 390650
  19. 19. Reading SecE vent.evt fragments Record Numbers
  20. 20. Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
  21. 21. Reading SecE vent.evt fragments • Time Generated = 4 Bytes • Time Written = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 0x AA 54 1D 42 = 2/ 24/ 2005 04:14:34 UTC Must convert time values to local time.
  22. 22. Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
  23. 23. Reading SecE vent.evt fragments Event ID = 4 Bytes
  24. 24. Reading SecE vent.evt fragments Event ID = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 11 02 00 00 0x 11 02 00 00 = 529 E vent ID = 529 Event ID 529 Unknown User Name Or Bad Password http://support.microsoft.com/default.aspx?scid= kb;en- us;174074
  25. 25. Reading SecE vent.evt fragments String Offset = 4 Bytes
  26. 26. Reading SecE vent.evt fragments String Offset = 4 Bytes 29497072 | 00 00 00 00 5E 00 00 00 0C 00 00 00 52 00 00 00 0x 5E 00 00 00 = 94 String Offset = 94
  27. 27. Reading SecE vent.evt fragments String Offset = 94 Bytes
  28. 28. Reading SecE vent.evt fragments Refining and targeting search terms
  29. 29. Reading SecE vent.evt fragments Refining and targeting search terms
  30. 30. Reading SecE vent.evt fragments Refining and targeting search terms. ? User Names in Unicode ? Domain names in Unicode ? IP Addresses in Unicode ? Event IDs in Hex ? Time stamps in Hex
  31. 31. Recovering Information from Deleted Security E vent Logs Questions? Troy Larson troyla@ microsoft.com

×