Introduction of Event Logs Analysis in this article Logs are the sequential records of events that have occurred or performed over a system. All the operating systems have the ability to store these records. Investigators can build timeline based on these logs and find exact time and location of attack.
Operating systems regularly conduct audit of the contents and files in order to look for discrepancies. These files store the data regarding the previous state of a system. Investigators can extract the state data and compare it with current state to find the attack vectors
This section will discuss the process of analyzing event logs of a windows based system in a forensically sound manner. It is important for investigators to know the proper way of analyzing different system logs.
Forensics tools help investigators by simplifying and speeding their work. This section of the document will help in understanding different forensics tools their purpose and the ways to use them.
Understanding Events
Event logs can be very helpful to the investigators to find data related to the suspected incident. The event log information is dependent on the particular audit policies implemented. It means that the event logs record only the information mandated in the audit policies. Using these logs, the investigator can map various activities performed on the system by the users, their IP addresses, or groups. These activities can include number of failed logins, high number of logins etc. This can assist the investigator to trace the attacker.
Related Product : Computer Hacking Forensic Investigator | CHFI
Organizations of Event Records
We can organize the event records in two ways; one is through non-wrapping and the other is through wrapping.
1. Non-wrapping
As represented in the slide, in non-wrapping event record organization, the oldest record exists after event log header, and the new record is placed last. This method is implemented for maximum log sizes. This size depends on the configured size value or number of system resources. Wrapping method is applied when the log size limit is crossed.
2. Wrapping
As represented in the slide, in wrapping event record organization, the oldest record is 102 instead of 1. The oldest record and ELF EOF RECORD have some empty space between them, in order to make place for the new records. The event log file size has a limit and when this file size exceeds, the file records are wrapped. When wrapping begins the last record of the file will be divided into two.
EventLog Record Structure
The event record structure allows organization of incomplete records present in the unallocated space. The magic number helps to search these records in the unallocated space. The event record consists of a 56 byte header which can help to reconstruct parts of the event record, if the record is not available.
1. Length
The length of the event record indicates the event record size in bytes.
2. NumStrings
This indicates the number of the strings that are in the log. The user gets the message after these strings are merged in the message.
3. EventID
Event ID or event identifier is used to identify an event. This ID depends on the event source. Every event source can define the value of its event ID. The event ID and the source name together are used to find a text in the message file for the event source.
4. EventType
Events are of five kinds namely, error event, warning event, information, success audit and failure audit, Every event type has significance and provides specific details of the event. When an event occurs its respective event type is indicated by the application. An event cannot be of two event types, at a time an event can be only of one type.
- Error: It denotes an issue or problem like data loss
- Warning: It is an indication of future occurrence of error
- Information; This event gives details of the occurrence of a successful operation
- Success Audit: This event records a successful audited security access attempt
- Failure Audit: This event records a failed audited security access attempt
5. EventCategory
It indicates the category of an event. Every source of the event defines the value of its event category. Event categories make it easy to organize various events.
Also Read : Understand Metadata Investigation
Windows 10 Event Logs
Wevtutil
This tool enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.
Evaluating Account Management Events
The account management category of events is used to record the changes in accounts and group membership. This includes creation, deletion, and disabling of accounts; modification of accounts which belong to other groups; and account lockouts and reactivations. Various Event IDs are associated with changes in the accounts.
An account can be a domain account or a local account and can represent a user, computer, or service. Domain account events will be recorded on domain controllers, and events related to local accounts will be recorded on the local computer involved in the operation. These events are recorded regardless of whether the account represents a user, computer, or service. When an account is created, Event ID 624 is recorded. This event shows the name of the newly created account, along with the name of the account that was used to create it. Another event ID 642, gives the information about the changes made to the account.
When reading the description for an event that involves adding or removing an account to or from a group, these rules apply:
- The first line of the description summarizes the type of action.
- The account that performed the action is listed in the Caller User Name field,
- The account added or removed is shown in the Member ID field.
- The group affected is listed as the Target Account Name.
Evaluating Account Management Events (Cont’d)
In Microsoft Windows, the “Security log” stores data pertaining to login/logout activities or any other events related to security, as specified by the system’s audit policy. Auditing allows System administrators and investigators to configure Windows, in order to record the activities in the Security Log. The security logs play a major role in detecting and investigating the attempted logins, unsuccessful events, and unauthorized events.
When a system is compromised, attackers will frequently attempt to disable auditing. Modifications to the audit policy are recorded in Event ID 612 entries. The 4- symbols indicate the events that are being audited, whereas the — symbols show the categories which are not being audited. Success and Failure events are being audited for Logon/Logoff, Object Access, and Account Management events. However, nothing is being audited for Privilege Use, Policy Change, System, or Detailed (process) Tracking events. The Event ID 612 entry allows the user to deduce the changes that were made by comparing the old policy to the new policy.
With Group Policy changes set to ON, the domain controller takes precedence over changes made to the local audit policy in an individual computer. Due of this, the attackers may not be able to completely disable auditing. If the attacker disables auditing on a computer that is a member of a domain, the domain’s Group Policy audit settings may override that change during the next policy update.
Locate the audit policies by clicking Start -> Run, then typing secpol.msc and pressing Enter. In the Local Security Policy window, click Local Policies -> Audit Policy.
Examining System Log Entries
System Log records the events relating to the various aspects of system behavior, which includes changes to the operating system, hardware configuration, device driver installation, the starting and stopping of services, and a host of other items of potential investigative interest.
Whenever a service is to be stopped, the Service Control Manager sends a stop signal to the service and simultaneously sends a message (Event ID 7035) to the System event log, advising that the stop signal was sent to a particular service. When the service actually stops, the Service Control Manager again sends a message (Event ID 7036) to the System event log, advising that the service actually stopped.
Similarly, if a service is started, the Service Control Manager sends a start control signal to the service and simultaneously sends a message (Event ID 7035) to the System event log advising that the start control signal was sent. When the service starts, the Service Control Manager sends a message (Event ID 7036) to the System event log, advising that the service actually started.
To navigate the System log entries, click Start -> Control Panel -> System and Security Administrative Tools -> double-click Event Viewer -> click Windows Logs -> double-click System.
Examining Application Log Entries
The Application event log contains messages from both the operating system and various programs. The user can actually use a program from Microsoft called logevent.exe to send custom messages, typically when batch files are run. By default, this program sends messages to Event ID 1 of the Application event log, unless another Event ID is specified,
Many utilities especially anti-virus and other system-protection programs send messages to the Application event log relating to their scanning activities, detection of malware, and so on.
Virtual Network Computing (VNC) is similar to the Windows Remote Desktop feature and allows establishment of remote connections. The VNC application records the information relating to the connections made with the VNC server, with the IP and port information from which the connection originated, in the Application event log.
To navigate to the Application log entries, click Start -> Control Panel -> System and Security
Administrative Tools double-click Event Viewer -> click Windows Logs -> double-click Application.
Using Event Log explorer to Examine Log Files
The Filter feature in the Event Viewer allows removal of a lot of the clutter from the event log display. Filtering does not modify the event log in any way, but it does change parts of the Event Log Viewer. Filters can be set, reset, or changed 4without impacting the contents of the event log. To filter the logs, right-dick any log type that you want to filter and select Filter Current Log.
In the Filter Current Log wizard, check the Critical, Error, and Warning boxes and click OK to view only failure-related events or logs. You can also filter the events by time with predefined values like Last hour, Last 12 hours, Last 24 hours, Last 7 days, and Last 30 days, by specifying your own time frame or by selecting Custom range from the Logged drop-down list.
Windows Event Log File Internals
The Windows event log files contain the records related to the system, security, and applications stored in separate files named System.evtx, Security.evtx, and Application.evtx, respectively. They are stored in the C:\Windows\System32\winevt\Logs folder.
Each of the event log file databases is similarly constructed. Each file has a header, a floating footer of sorts, and records. Database slack exists in the logical portion of the file outside the proper database. To keep the files from becoming fragmented, the operating system may allocate large contiguous cluster runs to the event log files.
Questions related to this topic
- How do I view file audit logs?
- How can I see what users are accessing a file?
- Does windows keep a log of copied files?
- How do I view Windows log files?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
