SlideShare une entreprise Scribd logo

Recovering Information From Deleted Security Event Logs Ctin

CTIN
CTIN
BusinessTechnologie
1  sur  31
Recovering Information from Deleted Security E vent Logs Troy Larson Senior Forensic Investigator Microsoft Corporation
Introduction ? How to find and recover useful information from deleted security event logs (fragments). ? Considering initial search strings. ? Identifying and reading event log internals. ? Making refined and targeted search terms.
Windows Event Log Basics ? What the Event Viewer displays as an event log is actually a construct of: ? An event log file (*.evt). ? The registry. ? “Message files.” ? HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services Eventlog
*.evt + Registry + Message = Log
Security Event Log- Event Viewer
SecEvent.evt
Security E vent Log Recovery ? Much of the important event information in the Security event log is contained within the SecEvent.evt file itself. ? Event ID ? User ? Computer ? The Security Event Log relies less on message files than System and Application Event logs.
Finding SecEvent.evt fragments
Finding SecEvent.evt fragments ? Search for text strings. ? Computer name: “REX ” ? Event log name: “Security” ? “LfLe” or 0x 4C 66 4C 65 (Record Header?) ? Other terms: “MSGina,” “AUTHENTICATION,” etc. ? Note: Terms are in Unicode (except LfLe).
Reading SecE vent.evt fragments ? Microsoft documentation: ? MSDN online library: “EVENTLOGRECORD”
Reading SecE vent.evt fragments DWORD Length 4 Bytes DWORD Reserved 4 Bytes DWORD Record Number 4 Bytes DWORD Time Generated 4 Bytes DWORD Time Written 4 Bytes DWORD Event ID 4 Bytes WORD Event Type 2 Bytes WORD NumStrings 2 Bytes WORD Event Category 2 Bytes WORD Reserved Flags 2 Bytes DWORD Closing Record Num. 4 Bytes DWORD String Offset 4 Bytes DWORD User Sid Length 4 Bytes DWORD User Sid Offset 4 Bytes DWORD Data Length 4 Bytes DWORD Data Offset 4 Bytes http://msdn.microsoft.com/library/en- us/debug/base/ eventlogrecord_str.asp
Reading SecE vent.evt fragments Length = 4 Bytes
Reading SecE vent.evt fragments Length = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x B0 00 00 00 = 176 Length = 176 Bytes
Reading SecE vent.evt fragments Length = 176 Bytes
Reading SecE vent.evt fragments Next 4 Bytes Reserved 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x 4C 66 4C 65 = L fLe
Reading SecE vent.evt fragments Next 4 Bytes Reserved
Reading SecE vent.evt fragments Record Number = 4 Bytes
Reading SecE vent.evt fragments Record Number = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x FA F5 05 00 = 390650 Record Number = 390650
Reading SecE vent.evt fragments Record Numbers
Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
Reading SecE vent.evt fragments • Time Generated = 4 Bytes • Time Written = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 0x AA 54 1D 42 = 2/ 24/ 2005 04:14:34 UTC Must convert time values to local time.
Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
Reading SecE vent.evt fragments Event ID = 4 Bytes
Reading SecE vent.evt fragments Event ID = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 11 02 00 00 0x 11 02 00 00 = 529 E vent ID = 529 Event ID 529 Unknown User Name Or Bad Password http://support.microsoft.com/default.aspx?scid= kb;en- us;174074
Reading SecE vent.evt fragments String Offset = 4 Bytes
Reading SecE vent.evt fragments String Offset = 4 Bytes 29497072 | 00 00 00 00 5E 00 00 00 0C 00 00 00 52 00 00 00 0x 5E 00 00 00 = 94 String Offset = 94
Reading SecE vent.evt fragments String Offset = 94 Bytes
Reading SecE vent.evt fragments Refining and targeting search terms
Reading SecE vent.evt fragments Refining and targeting search terms
Reading SecE vent.evt fragments Refining and targeting search terms. ? User Names in Unicode ? Domain names in Unicode ? IP Addresses in Unicode ? Event IDs in Hex ? Time stamps in Hex
Recovering Information from Deleted Security E vent Logs Questions? Troy Larson troyla@ microsoft.com

Recommandé

Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Bleeding secrets
Bleeding secretsBleeding secrets
Bleeding secretsOfer Rivlin, CISSP
 
Introductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingIntroductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingAngelo Salatino
 
File000126
File000126File000126
File000126Desmond Devendran
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1Jaehyeuk Oh
 
Voice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioVoice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioKevin Avila
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1UTD Computer Security Group
 
Comparison
ComparisonComparison
ComparisonLuckylocks Ltd
 

Recommandé

Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Bleeding secrets
Bleeding secretsBleeding secrets
Bleeding secretsOfer Rivlin, CISSP
 
Introductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingIntroductory Lecture to Audio Signal Processing
Introductory Lecture to Audio Signal ProcessingAngelo Salatino
 
File000126
File000126File000126
File000126Desmond Devendran
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1Jaehyeuk Oh
 
Voice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioVoice That Matter 2010 - Core Audio
Voice That Matter 2010 - Core AudioKevin Avila
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1UTD Computer Security Group
 
Comparison
ComparisonComparison
ComparisonLuckylocks Ltd
 
Idesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco Oy
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopImpala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopAll Things Open
 
Firebird Performance counters in details
Firebird Performance counters in detailsFirebird Performance counters in details
Firebird Performance counters in detailsMind The Firebird
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Automating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingAutomating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingRoy Zimmer
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with EsperAntónio Alegria
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Nra
NraNra
NraCTIN
 

Contenu connexe

Similaire à Recovering Information From Deleted Security Event Logs Ctin

Idesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco Oy
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopImpala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopAll Things Open
 
Firebird Performance counters in details
Firebird Performance counters in detailsFirebird Performance counters in details
Firebird Performance counters in detailsMind The Firebird
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Automating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingAutomating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingRoy Zimmer
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with EsperAntónio Alegria
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 

Similaire à Recovering Information From Deleted Security Event Logs Ctin (10)

Idesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial PresentationIdesco DESCoder Tutorial Presentation
Idesco DESCoder Tutorial Presentation
 
Impala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for HadoopImpala: A Modern, Open-Source SQL Engine for Hadoop
Impala: A Modern, Open-Source SQL Engine for Hadoop
 
Firebird Performance counters in details
Firebird Performance counters in detailsFirebird Performance counters in details
Firebird Performance counters in details
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report
 
Automating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell ScriptingAutomating a Vendor File Load Process with Perl and Shell Scripting
Automating a Vendor File Load Process with Perl and Shell Scripting
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with Esper
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 

Plus de CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Nra
NraNra
NraCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 

Plus de CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 

Dernier

Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsMichael W. Hawkins
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Roland Driesen
 

Dernier (20)

Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...Boost the utilization of your HCL environment by reevaluating use cases and f...
Boost the utilization of your HCL environment by reevaluating use cases and f...
 

Recovering Information From Deleted Security Event Logs Ctin

  • 1. Recovering Information from Deleted Security E vent Logs Troy Larson Senior Forensic Investigator Microsoft Corporation
  • 2. Introduction ? How to find and recover useful information from deleted security event logs (fragments). ? Considering initial search strings. ? Identifying and reading event log internals. ? Making refined and targeted search terms.
  • 3. Windows Event Log Basics ? What the Event Viewer displays as an event log is actually a construct of: ? An event log file (*.evt). ? The registry. ? “Message files.” ? HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services Eventlog
  • 4. *.evt + Registry + Message = Log
  • 5. Security Event Log- Event Viewer
  • 7. Security E vent Log Recovery ? Much of the important event information in the Security event log is contained within the SecEvent.evt file itself. ? Event ID ? User ? Computer ? The Security Event Log relies less on message files than System and Application Event logs.
  • 9. Finding SecEvent.evt fragments ? Search for text strings. ? Computer name: “REX ” ? Event log name: “Security” ? “LfLe” or 0x 4C 66 4C 65 (Record Header?) ? Other terms: “MSGina,” “AUTHENTICATION,” etc. ? Note: Terms are in Unicode (except LfLe).
  • 10. Reading SecE vent.evt fragments ? Microsoft documentation: ? MSDN online library: “EVENTLOGRECORD”
  • 11. Reading SecE vent.evt fragments DWORD Length 4 Bytes DWORD Reserved 4 Bytes DWORD Record Number 4 Bytes DWORD Time Generated 4 Bytes DWORD Time Written 4 Bytes DWORD Event ID 4 Bytes WORD Event Type 2 Bytes WORD NumStrings 2 Bytes WORD Event Category 2 Bytes WORD Reserved Flags 2 Bytes DWORD Closing Record Num. 4 Bytes DWORD String Offset 4 Bytes DWORD User Sid Length 4 Bytes DWORD User Sid Offset 4 Bytes DWORD Data Length 4 Bytes DWORD Data Offset 4 Bytes http://msdn.microsoft.com/library/en- us/debug/base/ eventlogrecord_str.asp
  • 12. Reading SecE vent.evt fragments Length = 4 Bytes
  • 13. Reading SecE vent.evt fragments Length = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x B0 00 00 00 = 176 Length = 176 Bytes
  • 14. Reading SecE vent.evt fragments Length = 176 Bytes
  • 15. Reading SecE vent.evt fragments Next 4 Bytes Reserved 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x 4C 66 4C 65 = L fLe
  • 16. Reading SecE vent.evt fragments Next 4 Bytes Reserved
  • 17. Reading SecE vent.evt fragments Record Number = 4 Bytes
  • 18. Reading SecE vent.evt fragments Record Number = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 0x FA F5 05 00 = 390650 Record Number = 390650
  • 19. Reading SecE vent.evt fragments Record Numbers
  • 20. Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
  • 21. Reading SecE vent.evt fragments • Time Generated = 4 Bytes • Time Written = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 0x AA 54 1D 42 = 2/ 24/ 2005 04:14:34 UTC Must convert time values to local time.
  • 22. Reading SecE vent.evt fragments Time Generated = 4 Bytes, Time Written = 4 Bytes
  • 23. Reading SecE vent.evt fragments Event ID = 4 Bytes
  • 24. Reading SecE vent.evt fragments Event ID = 4 Bytes 29497040 | B0 00 00 00 4C 66 4C 65 FA F5 05 00 AA 54 1D 42 29497056 | AA 54 1D 42 11 02 00 00 0x 11 02 00 00 = 529 E vent ID = 529 Event ID 529 Unknown User Name Or Bad Password http://support.microsoft.com/default.aspx?scid= kb;en- us;174074
  • 25. Reading SecE vent.evt fragments String Offset = 4 Bytes
  • 26. Reading SecE vent.evt fragments String Offset = 4 Bytes 29497072 | 00 00 00 00 5E 00 00 00 0C 00 00 00 52 00 00 00 0x 5E 00 00 00 = 94 String Offset = 94
  • 27. Reading SecE vent.evt fragments String Offset = 94 Bytes
  • 28. Reading SecE vent.evt fragments Refining and targeting search terms
  • 29. Reading SecE vent.evt fragments Refining and targeting search terms
  • 30. Reading SecE vent.evt fragments Refining and targeting search terms. ? User Names in Unicode ? Domain names in Unicode ? IP Addresses in Unicode ? Event IDs in Hex ? Time stamps in Hex
  • 31. Recovering Information from Deleted Security E vent Logs Questions? Troy Larson troyla@ microsoft.com