Recovering Information From Deleted Security Event Logs Ctin
1. Recovering Information
from Deleted Security
E vent Logs
Troy Larson
Senior Forensic Investigator
Microsoft Corporation
2. Introduction
? How to find and recover useful information
from deleted security event logs (fragments).
? Considering initial search strings.
? Identifying and reading event log internals.
? Making refined and targeted search terms.
3. Windows Event Log Basics
? What the Event Viewer displays as an event
log is actually a construct of:
? An event log file (*.evt).
? The registry.
? “Message files.”
? HKEY_LOCAL_MACHINE SYSTEM
ControlSet001 Services Eventlog
7. Security E vent Log Recovery
? Much of the important event information in the
Security event log is contained within the
SecEvent.evt file itself.
? Event ID
? User
? Computer
? The Security Event Log relies less on message
files than System and Application Event logs.
21. Reading SecE vent.evt fragments
• Time Generated = 4 Bytes
• Time Written = 4 Bytes
29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42
29497056 | AA 54 1D 42
0x AA 54 1D 42 = 2/ 24/ 2005 04:14:34 UTC
Must convert time values to local time.
30. Reading SecE vent.evt fragments
Refining and targeting search terms.
? User Names in Unicode
? Domain names in Unicode
? IP Addresses in Unicode
? Event IDs in Hex
? Time stamps in Hex