System Event Logs

1. SYSTEM EVENTS LOGS

2. OVERVIEW
• Important in timeline reconstruction
• Event logs and application logs chronicle what happened when
• Not always in human readable format
• IOC if missing or inconsistent

3. WINDOWS EVENT LOGS
• Older versions in binary format
• Proper name is just ‘Event Log’
• See evtparse.pl and evtrpt.pl from Carvey
• Categorized by type
• System
• Security
• Application

4. WINDOWS EVENT LOGS (CONT.)
• Stored in %systemroot%system32config
• 5 Types or levels
• Error
• Warning
• Information
• Success Audit
• Failure Audit

5. WINDOWS EVENT LOGS (CONT.)
• Starting with Vista/Server 2008 logs written in XML (EVTX
format)
• Additional properties added (i.e. Process ID, Thread ID,
Processor ID, Session ID)
• New Channels for Setup and ForwardedEvents
• New Event Viewer for filtering & exporting

6. WINDOWS EVENT LOGS(CONT.)
• Logs can be purged, rolled over, deleted
• For worst case, recovery involved searching unallocated space
• Old style windows binary entries are preceded with ‘LfLe’ magic
number
• Using Microsoft’s logparser to query
• Use wevtutil to convert old to new

7. RECYCLE BIN
• Can be disabled by volume
• See registry key
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer
BitBucket
• Files moved to the Recycle Bin are named in accordance with KB
136517
• Index file INFO2 keeps track of original name
• To extract data from INFO2 see recbin.pl
• Vista changed name format of deleted files

8. PREFETCH FILES
• Performance feature of Windows
• Available metadata for run count, when launched, associated
DLLs
• Parse directory with pref.pl
• Also PFDump.exe

9. WINDOWS SCHEDULED TASKS
• Created via GUI or via API
• Also at.exe or schtasks.exe (can schedule remotely)
• On <2003 tasks are in C:WindowsTasks
• Stored in binary format
• Win7 jobs are in WindowsSystem32Tasks in XML format
• When collecting data in Live Response, use at.exe and
schtasks.exe to see ALL jobs

10. JUMP LISTS
• New to Win7
• Think ‘Recent Docs’
• System keeps track of recently used files by application
• Stored in the user’s profile under
AppDataRoamingMicrosoftWindowsRecentAutomaticDesti
nations
• Information is also stored in binary format
• Documented by Microsoft

11. HIBERNATION FILES
• Contain a memory dump of the running system
• Volatility can be used to analyze data
• Varied amount of valuable information can be stored. (i.e. keys
for encrypted volumes)

12. APPLICATION LOGS
• Numerous installed applications maintain their own logs
• AV Logs, Skype, Apple software,
• Usefulness depends on the goal of the investigation
• AV Logs
• Skype – view main.db with Skype Log View
• Apple software – may produce backup images of devices
• Image METAdata in EXIF format

13. SUMMARY
• Information useful to a case can be found in may locations
• Pick the right log or logs for the job
• The list of applications is certainly not exhaustive
• New applications will have new logs