Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.
-
Upload
blaze-kelly -
Category
Documents
-
view
223 -
download
2
Transcript of Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.
![Page 1: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/1.jpg)
Mastering Windows Network Forensics and Investigation
Chapter 15: Forensic Analysis of Event Logs
![Page 2: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/2.jpg)
Chapter Topics:
• Using EnCase to Examine Windows Event Logs Files
• Understanding Internal Structures of Event Log
• Repairing corrupt event log files• Finding & analyzing event log
fragments
![Page 3: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/3.jpg)
Using EnCase to Examine Windows Event Logs Files
• EnCase EnScript Windows Event Log Parser
• Parses raw data and does NOT rely upon Window API
• Output format– Bookmarks– Export to spreadsheet
![Page 4: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/4.jpg)
EnCase Windows Event Log Parser User Interface
![Page 5: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/5.jpg)
EnCase Windows Event Log Parser Spreadsheet Output
![Page 6: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/6.jpg)
WinXP Event Log Internals
• Databases of event records
• Event types segregated into 3 files or database– SysEvent.evt– SecEvent.evt– AppEvent.evt
![Page 7: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/7.jpg)
Event Log Internals
• Each file or database has three parts– Header– Records– Floating footer
![Page 8: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/8.jpg)
Header
![Page 9: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/9.jpg)
Event Log Record
![Page 10: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/10.jpg)
Floating Footer
![Page 11: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/11.jpg)
Repairing corrupt event log files
• Header byte offsets 16-31 (16-19, 20-23, 24-27, & 28-31) represent:– Offset to oldest event– Offset to next event– Event ID of next event– Event ID of oldest event
![Page 12: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/12.jpg)
Repairing corrupt event log files
• Floating footer byte offsets 20-35 (20-23, 24-27, 28-31, & 32-35) represent:– Offset to oldest event– Offset to next event– Event ID of next event– Event ID of oldest event
![Page 13: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/13.jpg)
Repairing corrupt event log files
• Floating footer contains “real-time” data while header is updated during normal shutdown of event log service
• Byte offset 36 of header contains an odd value (09, 0B, etc) if update has NOT occurred, while an even value (08, 00, etc) indicates update has occurred
![Page 14: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/14.jpg)
Repairing corrupt event log files
• Event viewer (also other Windows API viewers) requires byte offset 36 be even, otherwise corrupt log message occurs.
• Pulling plug, copying live event logs result in a file with floating footer NOT being updated and odd value for byte offset 36, hence error message when opening such logs with Event Viewer
![Page 15: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/15.jpg)
Error Message!
![Page 16: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/16.jpg)
Repairing corrupt event log files
• The “fix” is to:– Copy floating footer byte offsets 20-
35– Paste to header byte offsets 16-31– Change header byte offset 36 to
even value such as 00– Save– Open with event viewer!
![Page 17: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/17.jpg)
Windows Vista +Event Log Internals
![Page 18: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/18.jpg)
Windows Vista +Event Log Header
![Page 19: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/19.jpg)
Windows Vista +Event Log Header
![Page 20: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/20.jpg)
Windows Vista +Event Chunk Header
![Page 21: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/21.jpg)
Windows Vista +Event Chunk Header
![Page 22: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/22.jpg)
Windows Vista +Event Record
![Page 23: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/23.jpg)
Windows Vista +Event Record
![Page 24: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/24.jpg)
Windows Vista+ Event Logs
• Do not corrupt like EVT files do
• No floating footer
• Chunks are standalone units
![Page 25: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/25.jpg)
Finding & Recovering Event Logs
• When event log is cleared, data is NOT overwritten.
• In some cases, new data is written to a new starting cluster!
• Event logs are very recoverable• Locate event records by their
header
![Page 26: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/26.jpg)
Finding & Recovering Event Logs(Win XP)
• Starting with the header, select block of contiguous event record data.
• Export this data out as a file with an “evt” extension and name of your choosing
• Bring into EnCase as a single file(s).• Select those files• Process them with EnCase Windows
Event Log Parser
![Page 27: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/27.jpg)
Finding & Recovering Event Logs(Win Vista +)
• Starting with the header, select block of contiguous event record data.
• Export this data out as a file with an “evtx” extension and name of your choosing
• Bring into EnCase as a single file(s).• Select those files• Process them with EnCase Windows
Event Log Parser
![Page 28: Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.](https://reader037.fdocuments.us/reader037/viewer/2022102818/56649cd65503460f9499e015/html5/thumbnails/28.jpg)
Finding & Recovering Event Logs(Win Vista +)
• For incomplete files, you can use various tools available for free for parsing Event Log Chunks individually
• For a free application see: http://computer.forensikblog.de/en/2011/11/evtx_parser_1_1_0.html