Mastering Windows Network Forensics and Investigation

Chapter 15: Forensic Analysis of Event Logs

Chapter Topics:

• Using EnCase to Examine Windows Event Logs Files

• Understanding Internal Structures of Event Log

• Repairing corrupt event log files• Finding & analyzing event log

fragments

Using EnCase to Examine Windows Event Logs Files

• EnCase EnScript Windows Event Log Parser

• Parses raw data and does NOT rely upon Window API

• Output format– Bookmarks– Export to spreadsheet

EnCase Windows Event Log Parser User Interface

EnCase Windows Event Log Parser Spreadsheet Output

WinXP Event Log Internals

• Databases of event records

• Event types segregated into 3 files or database– SysEvent.evt– SecEvent.evt– AppEvent.evt

Event Log Internals

• Each file or database has three parts– Header– Records– Floating footer

Header

Event Log Record

Floating Footer

Repairing corrupt event log files

• Header byte offsets 16-31 (16-19, 20-23, 24-27, & 28-31) represent:– Offset to oldest event– Offset to next event– Event ID of next event– Event ID of oldest event

Repairing corrupt event log files

• Floating footer byte offsets 20-35 (20-23, 24-27, 28-31, & 32-35) represent:– Offset to oldest event– Offset to next event– Event ID of next event– Event ID of oldest event

Repairing corrupt event log files

• Floating footer contains “real-time” data while header is updated during normal shutdown of event log service

• Byte offset 36 of header contains an odd value (09, 0B, etc) if update has NOT occurred, while an even value (08, 00, etc) indicates update has occurred

Repairing corrupt event log files

• Event viewer (also other Windows API viewers) requires byte offset 36 be even, otherwise corrupt log message occurs.

• Pulling plug, copying live event logs result in a file with floating footer NOT being updated and odd value for byte offset 36, hence error message when opening such logs with Event Viewer

Error Message!

Repairing corrupt event log files

• The “fix” is to:– Copy floating footer byte offsets 20-

35– Paste to header byte offsets 16-31– Change header byte offset 36 to

even value such as 00– Save– Open with event viewer!

Windows Vista +Event Log Internals

Windows Vista +Event Log Header

Windows Vista +Event Log Header

Windows Vista +Event Chunk Header

Windows Vista +Event Chunk Header

Windows Vista +Event Record

Windows Vista +Event Record

Windows Vista+ Event Logs

• Do not corrupt like EVT files do

• No floating footer

• Chunks are standalone units

Finding & Recovering Event Logs

• When event log is cleared, data is NOT overwritten.

• In some cases, new data is written to a new starting cluster!

• Event logs are very recoverable• Locate event records by their

header

Finding & Recovering Event Logs(Win XP)

• Starting with the header, select block of contiguous event record data.

• Export this data out as a file with an “evt” extension and name of your choosing

• Bring into EnCase as a single file(s).• Select those files• Process them with EnCase Windows

Event Log Parser

Finding & Recovering Event Logs(Win Vista +)

• Starting with the header, select block of contiguous event record data.

• Export this data out as a file with an “evtx” extension and name of your choosing

• Bring into EnCase as a single file(s).• Select those files• Process them with EnCase Windows

Event Log Parser

Finding & Recovering Event Logs(Win Vista +)

• For incomplete files, you can use various tools available for free for parsing Event Log Chunks individually

• For a free application see: http://computer.forensikblog.de/en/2011/11/evtx_parser_1_1_0.html