SlideShare une entreprise Scribd logo

Windows 7 forensics event logs-dtl-r3

CTIN
CTIN
Technologie
1  sur  49
Télécharger pour lire hors ligne
Digital Forensics and Windows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
Introduction Vista/Windows 7 Event Logging: • New format *.evtx. • More, many more, event log files. • New system for collecting and displaying events. • New security event numbering.
Windows Event Logs Before Vista—Event Log. Vista to present—Windows Event • The big three: Log. – System. • The big three: – Security. – System. – Application. – Security. • Binary file, .evt. – Application. • WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.* • Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. http://msdn.microsoft.com/en- http://msdn.microsoft.com/en- us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx *http://computer.forensikblog.de/en/topics/windows/vista_event_log/
Windows Event Logs C:WindowsSystem32winevtLogs
Windows Event Logs What is an event log?
Windows Event Logs An event log is more than its .evtx file. • The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs. • The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
From *.evtx to Event Log Registry: HKLMSYSTEMControlSet001serviceseventlog *.evtx file MessageFile.dll Event Viewer
Windows Event Logs • Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
Windows Event Logs • Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
Windows Event Logs • Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
Windows Event Logs • Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
Windows Event Logs • Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
Windows Event Logs • Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values. HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator • The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
Windows Event Logs • Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
Windows Event Logs Working with the Windows 7 Event Viewer
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
Windows Event Logs • Start by selecting the event source, as this will populate the other choices.
Windows Event Logs • Next, focus on Task categories—here, selecting logon and logoff.
Windows Event Logs • Finally, Keywords, here selecting Audit Failure and Audit Success.
Windows Event Logs The filtered view.
Windows Event Logs And now, the event logs.
Windows Event Logs • System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events. http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs • Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
Windows Event Logs
Windows Event Logs
Windows Event Logs • Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
Windows Event Logs 9 audit categories.
Windows Event Logs Clicking on an audit category can provide you with an explanation of what the category audits.
Windows Event Logs http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3A15B562-4650-4298-9745-D9B261F35814&displaylang=en
Windows Event Logs
Windows Event Logs http://support.microsoft.com/kb/977519
Windows Event Logs Further Information: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx http://blogs.msdn.com/b/ericfitz/
Windows Event Logs All those other logs.
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs • Emphasis: Usually on Security Events, but other event logs may have more to offer. • Event log are not typically the primary evidence. – Often too noisy. • Best used when other facts fix times, or implicate specific accounts or computers. • Often, most useful in a timeline with other items of significance.
Windows Event Logs

Recommandé

Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano Forensics
Chiawei Wang
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 

Recommandé

Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano Forensics
Chiawei Wang
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
Anpumathews
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
deaneal
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
Prince Boonlia
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
MD SAQUIB KHAN
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
Rahul Badekar
 
penetration testing
penetration testingpenetration testing
penetration testing
Shitesh Sachan
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
GaganvirKaur
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 

Contenu connexe

Tendances

Tendances (20)

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Digital&computforensic
Digital&computforensicDigital&computforensic
Digital&computforensic
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
 

En vedette

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
CTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
Eduardo Chavarro
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
CTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 

En vedette (20)

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
File system
File systemFile system
File system
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Raidprep
RaidprepRaidprep
Raidprep
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 

Similaire à Windows 7 forensics event logs-dtl-r3

This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
ableelectronics
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdf
sagaraccura
 

Similaire à Windows 7 forensics event logs-dtl-r3 (20)

williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdf
 
LDAP-prepare.pptx
LDAP-prepare.pptxLDAP-prepare.pptx
LDAP-prepare.pptx
 
LDAP-prepare.pptx
LDAP-prepare.pptxLDAP-prepare.pptx
LDAP-prepare.pptx
 
File000138
File000138File000138
File000138
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdf
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Top 10 Tricks and Tools of an Oracle EPM Administrator
Top 10 Tricks and Tools of an Oracle EPM AdministratorTop 10 Tricks and Tools of an Oracle EPM Administrator
Top 10 Tricks and Tools of an Oracle EPM Administrator
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 

Plus de CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Nra
NraNra
Nra
CTIN
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
Edrm
EdrmEdrm
Edrm
CTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
CTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
CTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
CTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
CTIN
 
M Compevid
M CompevidM Compevid
M Compevid
CTIN
 
L Scope
L ScopeL Scope
L Scope
CTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
CTIN
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
CTIN
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
CTIN
 
K Ai
K AiK Ai
K Ai
CTIN
 
July132000
July132000July132000
July132000
CTIN
 

Plus de CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
 
K Ai
K AiK Ai
K Ai
 
July132000
July132000July132000
July132000
 

Dernier

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Dernier (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Windows 7 forensics event logs-dtl-r3

  • 1. Digital Forensics and Windows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2. Introduction Vista/Windows 7 Event Logging: • New format *.evtx. • More, many more, event log files. • New system for collecting and displaying events. • New security event numbering.
  • 3. Windows Event Logs Before Vista—Event Log. Vista to present—Windows Event • The big three: Log. – System. • The big three: – Security. – System. – Application. – Security. • Binary file, .evt. – Application. • WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.* • Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. http://msdn.microsoft.com/en- http://msdn.microsoft.com/en- us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx *http://computer.forensikblog.de/en/topics/windows/vista_event_log/
  • 4. Windows Event Logs C:WindowsSystem32winevtLogs
  • 5. Windows Event Logs What is an event log?
  • 6. Windows Event Logs An event log is more than its .evtx file. • The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs. • The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
  • 7. From *.evtx to Event Log Registry: HKLMSYSTEMControlSet001serviceseventlog *.evtx file MessageFile.dll Event Viewer
  • 8. Windows Event Logs • Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
  • 9. Windows Event Logs • Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
  • 10. Windows Event Logs • Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
  • 11. Windows Event Logs • Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
  • 12. Windows Event Logs • Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
  • 13. Windows Event Logs • Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values. HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator • The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
  • 14. Windows Event Logs • Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
  • 15. Windows Event Logs Working with the Windows 7 Event Viewer
  • 19. Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
  • 20. Windows Event Logs • Start by selecting the event source, as this will populate the other choices.
  • 21. Windows Event Logs • Next, focus on Task categories—here, selecting logon and logoff.
  • 22. Windows Event Logs • Finally, Keywords, here selecting Audit Failure and Audit Success.
  • 23. Windows Event Logs The filtered view.
  • 24. Windows Event Logs And now, the event logs.
  • 25. Windows Event Logs • System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events. http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
  • 29. Windows Event Logs • Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
  • 32. Windows Event Logs • Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
  • 33. Windows Event Logs 9 audit categories.
  • 34. Windows Event Logs Clicking on an audit category can provide you with an explanation of what the category audits.
  • 37. Windows Event Logs http://support.microsoft.com/kb/977519
  • 38. Windows Event Logs Further Information: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx http://blogs.msdn.com/b/ericfitz/
  • 39. Windows Event Logs All those other logs.
  • 48. Windows Event Logs • Emphasis: Usually on Security Events, but other event logs may have more to offer. • Event log are not typically the primary evidence. – Often too noisy. • Best used when other facts fix times, or implicate specific accounts or computers. • Often, most useful in a timeline with other items of significance.