1 / 28

Chapter 15: Forensic Analysis of Event Logs

Chapter 15: Forensic Analysis of Event Logs. Mastering Windows Network Forensics and Investigation. Chapter Topics:. Using EnCase to Examine Windows Event Logs Files Understanding Internal Structures of Event Log Repairing corrupt event log files Finding & analyzing event log fragments.

cardea
Download Presentation

Chapter 15: Forensic Analysis of Event Logs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 15: Forensic Analysis of Event Logs Mastering Windows Network Forensics and Investigation

  2. Chapter Topics: • Using EnCase to Examine Windows Event Logs Files • Understanding Internal Structures of Event Log • Repairing corrupt event log files • Finding & analyzing event log fragments

  3. Using EnCase to Examine Windows Event Logs Files • EnCase EnScript Windows Event Log Parser • Parses raw data and does NOT rely upon Window API • Output format • Bookmarks • Export to spreadsheet

  4. EnCase Windows Event Log Parser User Interface

  5. EnCase Windows Event Log Parser Spreadsheet Output

  6. WinXP Event Log Internals • Databases of event records • Event types segregated into 3 files or database • SysEvent.evt • SecEvent.evt • AppEvent.evt

  7. Event Log Internals • Each file or database has three parts • Header • Records • Floating footer

  8. Header

  9. Event Log Record

  10. Floating Footer

  11. Repairing corrupt event log files • Header byte offsets 16-31 (16-19, 20-23, 24-27, & 28-31) represent: • Offset to oldest event • Offset to next event • Event ID of next event • Event ID of oldest event

  12. Repairing corrupt event log files • Floating footer byte offsets 20-35 (20-23, 24-27, 28-31, & 32-35) represent: • Offset to oldest event • Offset to next event • Event ID of next event • Event ID of oldest event

  13. Repairing corrupt event log files • Floating footer contains “real-time” data while header is updated during normal shutdown of event log service • Byte offset 36 of header contains an odd value (09, 0B, etc) if update has NOT occurred, while an even value (08, 00, etc) indicates update has occurred

  14. Repairing corrupt event log files • Event viewer (also other Windows API viewers) requires byte offset 36 be even, otherwise corrupt log message occurs. • Pulling plug, copying live event logs result in a file with floating footer NOT being updated and odd value for byte offset 36, hence error message when opening such logs with Event Viewer

  15. Error Message!

  16. Repairing corrupt event log files • The “fix” is to: • Copy floating footer byte offsets 20-35 • Paste to header byte offsets 16-31 • Change header byte offset 36 to even value such as 00 • Save • Open with event viewer!

  17. Windows Vista +Event Log Internals

  18. Windows Vista +Event Log Header

  19. Windows Vista +Event Log Header

  20. Windows Vista +Event Chunk Header

  21. Windows Vista +Event Chunk Header

  22. Windows Vista +Event Record

  23. Windows Vista +Event Record

  24. Windows Vista+ Event Logs • Do not corrupt like EVT files do • No floating footer • Chunks are standalone units

  25. Finding & Recovering Event Logs • When event log is cleared, data is NOT overwritten. • In some cases, new data is written to a new starting cluster! • Event logs are very recoverable • Locate event records by their header

  26. Finding & Recovering Event Logs(Win XP) • Starting with the header, select block of contiguous event record data. • Export this data out as a file with an “evt” extension and name of your choosing • Bring into EnCase as a single file(s). • Select those files • Process them with EnCase Windows Event Log Parser

  27. Finding & Recovering Event Logs(Win Vista +) • Starting with the header, select block of contiguous event record data. • Export this data out as a file with an “evtx” extension and name of your choosing • Bring into EnCase as a single file(s). • Select those files • Process them with EnCase Windows Event Log Parser

  28. Finding & Recovering Event Logs(Win Vista +) • For incomplete files, you can use various tools available for free for parsing Event Log Chunks individually • For a free application see: http://computer.forensikblog.de/en/2011/11/evtx_parser_1_1_0.html

More Related