CTIN, profile picture
Uploaded byCTIN
PDF, PPTX7,948 views

Windows 7 forensics event logs-dtl-r3

Windows 7 introduced significant changes to event logging, including a new .evtx file format, over 100 additional event logs, and new security event numbering. Event logs provide system, security, and application events but can be noisy on their own; they are best analyzed in conjunction with other evidence to identify potentially important events. Proper collection and reconstruction of event logs on the analyst's system is important to ensure all message details are available.

Technology
In this document
Powered by AI

Introduction of Windows 7 event logs and presenter details.

Overview of new *.evtx format, increased log files, and collection methods.

Description of event log structure and distinctions from earlier Windows versions.

Challenges in forensic analysis due to message DLL dependencies in event logs.

Steps for analysts to collect message DLLs and configure registry for log analysis.

Event logs as a secondary source in forensics; context important for significant events.

Improved filtering capabilities in Windows 7 Event Viewer for reduced noise.

Classification and examples of system events logged by Windows services.

Importance of application events, their classifications, and relevance in investigations.

Detailed look at security audit events, their noise level, and new IDs in Windows.

Introduction to 9 audit categories with further detail under each category.

References and further readings on Windows event logs and security.

Emphasis on secondary nature of security events; importance of context in analyses.

Embed presentation

Download as PDF, PPTX
Digital Forensics and Windows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
Introduction Vista/Windows 7 Event Logging: • New format *.evtx. • More, many more, event log files. • New system for collecting and displaying events. • New security event numbering.
Windows Event Logs Before Vista—Event Log. Vista to present—Windows Event • The big three: Log. – System. • The big three: – Security. – System. – Application. – Security. • Binary file, .evt. – Application. • WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.* • Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. http://msdn.microsoft.com/en- http://msdn.microsoft.com/en- us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx *http://computer.forensikblog.de/en/topics/windows/vista_event_log/
Windows Event Logs C:WindowsSystem32winevtLogs
Windows Event Logs What is an event log?
Windows Event Logs An event log is more than its .evtx file. • The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs. • The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
From *.evtx to Event Log Registry: HKLMSYSTEMControlSet001serviceseventlog *.evtx file MessageFile.dll Event Viewer
Windows Event Logs • Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
Windows Event Logs • Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
Windows Event Logs • Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
Windows Event Logs • Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
Windows Event Logs • Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
Windows Event Logs • Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values. HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator • The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
Windows Event Logs • Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
Windows Event Logs Working with the Windows 7 Event Viewer
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
Windows Event Logs • Start by selecting the event source, as this will populate the other choices.
Windows Event Logs • Next, focus on Task categories—here, selecting logon and logoff.
Windows Event Logs • Finally, Keywords, here selecting Audit Failure and Audit Success.
Windows Event Logs The filtered view.
Windows Event Logs And now, the event logs.
Windows Event Logs • System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events. http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs • Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
Windows Event Logs
Windows Event Logs
Windows Event Logs • Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
Windows Event Logs 9 audit categories.
Windows Event Logs Clicking on an audit category can provide you with an explanation of what the category audits.
Windows Event Logs http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3A15B562-4650-4298-9745-D9B261F35814&displaylang=en
Windows Event Logs
Windows Event Logs http://support.microsoft.com/kb/977519
Windows Event Logs Further Information: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx http://blogs.msdn.com/b/ericfitz/
Windows Event Logs All those other logs.
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs • Emphasis: Usually on Security Events, but other event logs may have more to offer. • Event log are not typically the primary evidence. – Often too noisy. • Best used when other facts fix times, or implicate specific accounts or computers. • Often, most useful in a timeline with other items of significance.
Windows Event Logs

More Related Content

PPTX
Windows Forensic 101
byDigit Oktavianto
 
PPTX
Memory forensics
bySunil Kumar
 
PPT
Windowsforensics
bySantosh Khadsare
 
PDF
Stegano Forensics
byChiawei Wang
 
PPTX
Windows 10 Forensics: OS Evidentiary Artefacts
byBrent Muir
 
PPT
Malware forensics
bySameera Amjad
 
PPTX
DDOS ATTACKS
byShaurya Gogia
 
PPT
Registry forensics
byPrince Boonlia
 
Windows Forensic 101
byDigit Oktavianto
 
Memory forensics
bySunil Kumar
 
Windowsforensics
bySantosh Khadsare
 
Stegano Forensics
byChiawei Wang
 
Windows 10 Forensics: OS Evidentiary Artefacts
byBrent Muir
 
Malware forensics
bySameera Amjad
 
DDOS ATTACKS
byShaurya Gogia
 
Registry forensics
byPrince Boonlia
 

What's hot

ODT
Operating System Forensics
byArunJS5
 
PPTX
Forensic imaging tools
byDr. Richard Adams
 
PPSX
Ids 005 computer viruses
byjyoti_lakhani
 
PPTX
Memory forensics.pptx
by9905234521
 
PDF
Digital Forensics
byVikas Jain
 
PPTX
computer forensic tools-Hardware & Software tools
byN.Jagadish Kumar
 
PPTX
Ntfs and computer forensics
byGaurav Ragtah
 
PPT
Computer Forensics & Windows Registry
bysomutripathi
 
PPT
Windows forensic artifacts
byn|u - The Open Security Community
 
PDF
Windows Registry Analysis
byHimanshu0734
 
PPTX
Windows forensic
byMD SAQUIB KHAN
 
PDF
MindMap - Forensics Windows Registry Cheat Sheet
byJuan F. Padilla
 
PPT
Mobile forensics
bynoorashams
 
PPT
Computer forensics
byShreya Singireddy
 
PDF
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
PDF
CNIT 121: 8 Forensic Duplication
bySam Bowne
 
PPT
Mac Forensics
byCTIN
 
PDF
Next Generation Memory Forensics
byAndrew Case
 
PPTX
Windows registry forensics
byTaha İslam YILMAZ
 
PPTX
Computer forensics toolkit
byMilap Oza
 
Operating System Forensics
byArunJS5
 
Forensic imaging tools
byDr. Richard Adams
 
Ids 005 computer viruses
byjyoti_lakhani
 
Memory forensics.pptx
by9905234521
 
Digital Forensics
byVikas Jain
 
computer forensic tools-Hardware & Software tools
byN.Jagadish Kumar
 
Ntfs and computer forensics
byGaurav Ragtah
 
Computer Forensics & Windows Registry
bysomutripathi
 
Windows forensic artifacts
byn|u - The Open Security Community
 
Windows Registry Analysis
byHimanshu0734
 
Windows forensic
byMD SAQUIB KHAN
 
MindMap - Forensics Windows Registry Cheat Sheet
byJuan F. Padilla
 
Mobile forensics
bynoorashams
 
Computer forensics
byShreya Singireddy
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
byOlehLevytskyi1
 
CNIT 121: 8 Forensic Duplication
bySam Bowne
 
Mac Forensics
byCTIN
 
Next Generation Memory Forensics
byAndrew Case
 
Windows registry forensics
byTaha İslam YILMAZ
 
Computer forensics toolkit
byMilap Oza
 

Viewers also liked

PDF
Forensics of a Windows System
byConferencias FIST
 
PDF
Windows 8.x Forensics 1.0
byBrent Muir
 
PDF
Windows 7 forensics -overview-r3
byCTIN
 
PPTX
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
PPTX
Windows 7 forensics jump lists-rv3-public
byCTIN
 
PPT
Installation of Joomla on Windows XP
byRupesh Kumar
 
PDF
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
byMark Matienzo
 
PPT
File system
byHarleen Johal
 
PDF
Become an Internet Sleuth!
byNearpod
 
PPT
Raidprep
byCTIN
 
PPTX
Open Source Forensics
byCTIN
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PDF
Sadfe2007
byCTIN
 
PPTX
Windows 8 Forensics & Anti Forensics
byMike Spaulding
 
PDF
Sleuth kit by echavarro - HABEMUSHACKING
byEduardo Chavarro
 
PPTX
Msra 2011 windows7 forensics-troyla
byCTIN
 
PPT
Translating Geek To Attorneys It Security
byCTIN
 
PPTX
Social Media Forensics for Investigators
byCase IQ
 
PPT
Edrm
byCTIN
 
PPT
Vista Forensics
byCTIN
 
Forensics of a Windows System
byConferencias FIST
 
Windows 8.x Forensics 1.0
byBrent Muir
 
Windows 7 forensics -overview-r3
byCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
Windows 7 forensics jump lists-rv3-public
byCTIN
 
Installation of Joomla on Windows XP
byRupesh Kumar
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
byMark Matienzo
 
File system
byHarleen Johal
 
Become an Internet Sleuth!
byNearpod
 
Raidprep
byCTIN
 
Open Source Forensics
byCTIN
 
Windows logging cheat sheet
byMichael Gough
 
Sadfe2007
byCTIN
 
Windows 8 Forensics & Anti Forensics
byMike Spaulding
 
Sleuth kit by echavarro - HABEMUSHACKING
byEduardo Chavarro
 
Msra 2011 windows7 forensics-troyla
byCTIN
 
Translating Geek To Attorneys It Security
byCTIN
 
Social Media Forensics for Investigators
byCase IQ
 
Edrm
byCTIN
 
Vista Forensics
byCTIN
 

Similar to Windows 7 forensics event logs-dtl-r3

PPTX
System Event Logs
byprimeteacher32
 
PPTX
INVESTIGATE 1.pptx dnsak nj k skaj kjkjas xkasxjk
byAbhay135516
 
PDF
williams-wwhf-20210617-eventlogs.pdf
byVinceVulpes
 
PPTX
Event Viewer
byMathi Vanan
 
PPTX
LDAP-prepare.pptx
bykarthikvcyber
 
PPTX
LDAP-prepare.pptx
bykarthikvcyber
 
PPT
1556 a 09
byLê Liêu
 
PPTX
Eventlog
byShashi Kanth
 
PDF
The purpose of this research was to analyze Microsoft Windows event .pdf
byanil0878
 
PDF
Understanding the Event Log
bychuckbt
 
PDF
File000138
byDesmond Devendran
 
PDF
Finding attacks with these 6 events
byMichael Gough
 
PDF
Events Classification in Log Audit
byIJNSA Journal
 
PDF
Offensive_Windows_Event_Logs_1681171719.pdf
byBimleshKumar50
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
byMichael Gough
 
PDF
How to Perform Network-wide Security Event Log Management
byGFI Software
 
PPTX
Windows Event Analysis - Correlation for Investigation
byMahendra Pratap Singh
 
PPTX
First Responders Course - Session 6 - Detection Systems [2004]
byPhil Huggins FBCS CITP
 
PDF
A self adaptive learning approach for optimum path evaluation of process for ...
byAlexander Decker
 
PDF
File000126
byDesmond Devendran
 
System Event Logs
byprimeteacher32
 
INVESTIGATE 1.pptx dnsak nj k skaj kjkjas xkasxjk
byAbhay135516
 
williams-wwhf-20210617-eventlogs.pdf
byVinceVulpes
 
Event Viewer
byMathi Vanan
 
LDAP-prepare.pptx
bykarthikvcyber
 
LDAP-prepare.pptx
bykarthikvcyber
 
1556 a 09
byLê Liêu
 
Eventlog
byShashi Kanth
 
The purpose of this research was to analyze Microsoft Windows event .pdf
byanil0878
 
Understanding the Event Log
bychuckbt
 
File000138
byDesmond Devendran
 
Finding attacks with these 6 events
byMichael Gough
 
Events Classification in Log Audit
byIJNSA Journal
 
Offensive_Windows_Event_Logs_1681171719.pdf
byBimleshKumar50
 
Logs, Logs, Logs - What you need to know to catch a thief
byMichael Gough
 
How to Perform Network-wide Security Event Log Management
byGFI Software
 
Windows Event Analysis - Correlation for Investigation
byMahendra Pratap Singh
 
First Responders Course - Session 6 - Detection Systems [2004]
byPhil Huggins FBCS CITP
 
A self adaptive learning approach for optimum path evaluation of process for ...
byAlexander Decker
 
File000126
byDesmond Devendran
 

More from CTIN

PPTX
Mounting virtual hard drives
byCTIN
 
PDF
Encase V7 Presented by Guidance Software august 2011
byCTIN
 
PPTX
Windows 7 forensics thumbnail-dtl-r4
byCTIN
 
PPTX
Time Stamp Analysis of Windows Systems
byCTIN
 
PPT
Nra
byCTIN
 
PPT
Live Forensics
byCTIN
 
PPT
Computer Searchs, Electronic Communication, Computer Trespass
byCTIN
 
PPT
CyberCrime
byCTIN
 
PPT
Search Warrants
byCTIN
 
PPT
Part6 Private Sector Concerns
byCTIN
 
PPT
Networking Overview
byCTIN
 
PPT
M Compevid
byCTIN
 
PPT
L Scope
byCTIN
 
PPT
Level1 Part8 End Of The Day
byCTIN
 
PPT
Law Enforcement Role In Computing
byCTIN
 
PPT
Level1 Part7 Basic Investigations
byCTIN
 
PPT
K Ai
byCTIN
 
PPT
July132000
byCTIN
 
PPT
Investigative Team
byCTIN
 
PPT
Introduction To Unix
byCTIN
 
Mounting virtual hard drives
byCTIN
 
Encase V7 Presented by Guidance Software august 2011
byCTIN
 
Windows 7 forensics thumbnail-dtl-r4
byCTIN
 
Time Stamp Analysis of Windows Systems
byCTIN
 
Nra
byCTIN
 
Live Forensics
byCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
byCTIN
 
CyberCrime
byCTIN
 
Search Warrants
byCTIN
 
Part6 Private Sector Concerns
byCTIN
 
Networking Overview
byCTIN
 
M Compevid
byCTIN
 
L Scope
byCTIN
 
Level1 Part8 End Of The Day
byCTIN
 
Law Enforcement Role In Computing
byCTIN
 
Level1 Part7 Basic Investigations
byCTIN
 
K Ai
byCTIN
 
July132000
byCTIN
 
Investigative Team
byCTIN
 
Introduction To Unix
byCTIN
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
The year in review - MarvelClient in 2025
bypanagenda
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 

Windows 7 forensics event logs-dtl-r3

  • 1.
    Digital Forensics andWindows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2.
    Introduction Vista/Windows 7 Event Logging: •New format *.evtx. • More, many more, event log files. • New system for collecting and displaying events. • New security event numbering.
  • 3.
    Windows Event Logs BeforeVista—Event Log. Vista to present—Windows Event • The big three: Log. – System. • The big three: – Security. – System. – Application. – Security. • Binary file, .evt. – Application. • WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.* • Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. http://msdn.microsoft.com/en- http://msdn.microsoft.com/en- us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx *http://computer.forensikblog.de/en/topics/windows/vista_event_log/
  • 4.
    Windows Event Logs C:WindowsSystem32winevtLogs
  • 5.
    Windows Event Logs Whatis an event log?
  • 6.
    Windows Event Logs Anevent log is more than its .evtx file. • The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs. • The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
  • 7.
    From *.evtx toEvent Log Registry: HKLMSYSTEMControlSet001serviceseventlog *.evtx file MessageFile.dll Event Viewer
  • 8.
    Windows Event Logs •Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
  • 9.
    Windows Event Logs •Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
  • 10.
    Windows Event Logs •Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
  • 11.
    Windows Event Logs •Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
  • 12.
    Windows Event Logs •Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
  • 13.
    Windows Event Logs •Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values. HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator • The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
  • 14.
    Windows Event Logs •Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
  • 15.
    Windows Event Logs Workingwith the Windows 7 Event Viewer
  • 16.
  • 17.
  • 18.
  • 19.
    Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
  • 20.
    Windows Event Logs •Start by selecting the event source, as this will populate the other choices.
  • 21.
    Windows Event Logs •Next, focus on Task categories—here, selecting logon and logoff.
  • 22.
    Windows Event Logs •Finally, Keywords, here selecting Audit Failure and Audit Success.
  • 23.
    Windows Event Logs The filtered view.
  • 24.
    Windows Event Logs And now, the event logs.
  • 25.
    Windows Event Logs •System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events. http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
  • 26.
  • 27.
  • 28.
  • 29.
    Windows Event Logs •Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
  • 30.
  • 31.
  • 32.
    Windows Event Logs •Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
  • 33.
    Windows Event Logs 9 audit categories.
  • 34.
    Windows Event Logs Clickingon an audit category can provide you with an explanation of what the category audits.
  • 35.
  • 36.
  • 37.
    Windows Event Logs http://support.microsoft.com/kb/977519
  • 38.
    Windows Event Logs FurtherInformation: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx http://blogs.msdn.com/b/ericfitz/
  • 39.
    Windows Event Logs All those other logs.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
    Windows Event Logs • Emphasis: Usually on Security Events, but other event logs may have more to offer. • Event log are not typically the primary evidence. – Often too noisy. • Best used when other facts fix times, or implicate specific accounts or computers. • Often, most useful in a timeline with other items of significance.
  • 49.