1 / 62

File Analysis Chapter 5 – Harlan Carvey

File Analysis Chapter 5 – Harlan Carvey. Event Logs File Metadata. Event Logs Logging Events. Events Logging Events Event Log Format Event Record Structure Various Logs. Usual Event Logs. Application Log of application errors, warnings and information Security

amos-duran
Download Presentation

File Analysis Chapter 5 – Harlan Carvey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. File AnalysisChapter 5 – Harlan Carvey Event Logs File Metadata

  2. Event LogsLogging Events • Events • Logging Events • Event Log Format • Event Record Structure • Various Logs

  3. Usual Event Logs • Application • Log of application errors, warnings and information • Security • Dropped Packets, Successful Connections • Logon/Logoffs • System • Various device events

  4. Registry References - XP

  5. Windows 7 Location of logs

  6. Event Log Location - XP

  7. Event Log LocationVista, Win7 • C:Windows->System32->winevt->Logs

  8. Location of Event Logs

  9. App & System Logging • On by default • Log size is 512 KB by default • Written by the application

  10. Security Logging - XP • Not on by default • Log size is 512 KB by default • Control Panel Admin tools -> Local Security Policy

  11. Security LoggingWindows 7

  12. Log Viewer • Event Viewer • Control Panel -> Administrative Tools -> Event Viewer • Application, Security and System logs available • Event Properties • DTG of the event • Important for some timelines

  13. App Log

  14. System Log

  15. Security LogSuccess

  16. Security LogFailure

  17. Windows 7

  18. Event Viewer • Convenient and pretty • Works only on live systems • Does not work on a forensics image • We have to parse the event logs

  19. Event Logs • Binary Structure • Header and a series of records • Application logs are vendor specific • EventID.net is a good source for this info - $$$ • blogs.msdn.com/ericfiz/default.aspx • www.microsoft.com/technet/support/ee/ee_advanced.aspx

  20. Event Log ConfigurationXP • Held in registry keys

  21. Windows 7

  22. Registry Viewer • Event message

  23. Event Log File Format XP only • Event Log Header – 12 DWORD values • Event Records – Variable length • Windows 7 & Vista • http://www.dfrws.org/2007/proceedings/p65-schuster.pdf • http://computer.forensikblog.de/files/talks/SANS_Summit_Vista_Event_Log.pdf

  24. Event Log Header Structure

  25. Event Record Structure

  26. Carvey’s Help • Best not to depend on the Window’s API to read the Event files • They can be corrupted • May miss the next to be over written • Provides summary stats • Provides output readable in Excel

  27. evtstats.exe Lots of events

  28. lsevt.exe Entry for each of the 2464 Event Records

  29. lsevt2.exe Entry for each of the 2464 Event Records Puts it into an Excel readable format lsevt –f event_file –c > save_file.csv

  30. Excel – Open .csv file

  31. Change Format Choose Delimited

  32. Identify Separators Harlan’s stuff is separated by semicolons. With Perl knowledge you could change it.

  33. Excel Manipulatible

  34. Information

  35. Other Logs • IE Browsing History • Set Up • XP Firewall • Recycle Bin • Shortcut Files

  36. IE Browsing History • Index.dat files • DiscoverPro • NetAnalysis • Index dat spy • SuperWinSpy • Be careful !!!

  37. NetAnalysis

  38. Set Up Logs • Setuplog.txt • Setupact.log • SetupAPI.log • Netsetup.log

  39. Setuplog.txtC:\WINDOWS

  40. Setupact.logC:\WINDOWS

  41. SetupAPI.logC:\WINDOWS

  42. NetSetup.logc:\Winodws\Debug

  43. Task Scheduler LogSchedLgU.txt

  44. Enabling Firewall Logging • Control Panel -> Security Center -> Windows Firewall -> Advanced • Follow your nose

  45. Firewall Log • C:\WINDOWS\pfirewall.log

  46. Recycle Bin • C:\RECYCLER • Each user gets his own folder • Use the user’s SID • Each has its own INFO2 file

  47. Recycle Bin

  48. recbin.exe

More Related