Event logs give an audit trail that records user events on a PC and is a potential source of evidence in forensic examinations. This document shows a Windows Event Forensic Process for investigating operating system event log files. This process covers various events that are found in Windows Forensic. All things considered, it furnishes experts with direction on the utilization of Windows event logs in the digital forensic investigation.
When monitoring Windows Event Logs, we must first identify the Operating System Version. The Event Logs may differ from one operating system to the other based on their versions and configurations. It is possible that the event logs from Windows XP may not be accessible in Windows 7. For example, in Windows XP machine the event id 551 refers to logoff event. Whereas in Windows vista/7/8 the logoff event id is 4647 and in windows 10 it is 4634. Similarly, Windows Server editions have a different number of events so that concludes that the exact Operating System version needs to be identified carefully.
Before locating digital evidence, the incident response team must require an understanding of windows events and know what they are looking for in the events list. Some key windows event logs are described in this section with their respective event IDs.
Understanding Critical Windows Event Logs
Windows and Anti-Malware Update Events
Windows System records every detail of each update applied by the windows update service. If any anti-malware software is installed then its update history is also recorded. Any third-party antivirus application installed in the system also enables to collect logs to be stored in windows event logs. These logs are stored only if the logging is enabled by the administrator. For instance, the event timestamp and the points of interest of the installed updates can assist a forensic specialist to decide whether the system being referred to was secure or vulnerable against particular security dangers during a specific time frame.
System Restore Logs
Logon/Logoff Events
Remote Access Event Logs
If an unknown entity has been accessing PC remotely then the Incident Response team can find some hard evidence of the event in the logs. However, It depends upon the type of access that has been acquired. If the system is accessed via a backdoor or IRC Bot then logs are not recorded. To find if the system is accessed remotely, the event id 4648 (Logon) with Logon Type 10 proves to be useful.
User Plug n Play Event Logs
The User Plug-n-Play Device Events found in the System Event Log indicate USB/PCI connections with the PC. An event is activated when a driver is installed or updated. Events that give data about an installed hardware and driver have UserPnp as their source. The Device Instance ID is a Unique Identifier for every device.
Windows System also records the WPD (Windows Portable Devices) logs. WPD enables the operating system to communicate and coordinate with the attached devices which can be anyone of the following: Music Players, Storage Media, Mobile Phones, Cameras and many other portable devices that can be connected to the computer.
WPD Events IDs
Successful Installation Event ID — 24576
Compatibility Layer Successful Registration — 24577
Installation Error — 24578
Autoplay Skipping — 24579
Networking Events
When a system attempts to connect to a wireless network then it results in an event being logged in WLAN-Autoconfig, which also stores the SSID of the same connection. This event ID is 4000 in Windows 10, whereas in other operating systems it may be different. The event 6100 record the information about the network interface, SSID, and the diagnostic result of the wireless adapter.
Security State Change Event
Best Practices
- Collect Logs in a Single Place
- If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats.
- If these archives are stored in multiple locations then it is much harder to analyze logs from all locations manually.
2. Segment different logs into different files to easily access for researching and reading them
- This practice means to keep the logs segmented into different categories. For example, keep the Application logs, Security logs, System logs, Network logs in each different segmented archives so that it will be easier to parse through particular logs for threat inspection.
3. Regular Log analysis for Potential Threats
- Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.
4. Archive Logs, Do not Overwrite
- In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user.
- For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.
5. Access to limited personnel & accesses should be logged
- The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.
6. Regularly upgrade or update log management infrastructure if there is any
- Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
- Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.
7. Use copies of logs for Forensic Investigation
- Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files.
- Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.
8. Store Multiple Backups
- Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
- Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
- Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)
Industry Practices to Preserve and Understand Logs Indicating a Compromise
Incident Response teams play an important role in organizational breach. There are certain steps and measures to follow after a system is found to be compromised via Event Logs. IR teams can use Log data of Indicators of Compromise to better understand how threats were able to infiltrate the system. IOCs help in identifying specific threats and provide valuable information. With the help of IOCs, a forensic investigator can quickly locate and resolve any damage that may have been caused by the system.
Common Indicators of Compromise
- Unusual Outbound Network Traffic
- Changes in behavior of privileged users
- Geographical irregularities in logins and access patterns from unusual locations
- Check for failed logins for the user accounts that do not exist
- Check for HTML response size if the attacker use SQL injection to extract data
- Check for Windows registry changes
- Unexpected patching of system or applications
- Check if data is stored in wrong places
The above-provided Indicators of Compromise are some of the most common practices that help in identifying the system breach but are not always sufficient. Out of the box, thinking is necessary to investigate properly and to contain the attack. If the system logs indicate that the system has been compromised then these are the crucial steps to follow after an attack.
- Identify whether a critical attack has occurred
- Investigate the scope of the compromise
- Isolate the compromised system
- Backup Important Data
- Contain the attack
- Repair system to prevent future attacks
- Documenting everything and creating detailed Reports.
Conclusion
Windows is the most commonly used operating system in the consumer and corporate computing environment. One of the main features that enable the Windows forensic process is Event Logging. Event logs are very helpful in gathering potential evidence for the investigation unless the user has manually disabled the event logging service. Though there are some vulnerabilities in Event Logging, most of them can be overcome thus making event logs an extremely valuable resource as part of the security monitoring process. Event Logs can be analyzed using various techniques to look for malware in the system.
The Event Viewer that was first incorporated into Vista and later Operating systems is capable of opening event logs that are stored in the previous EVT format. The previous versions of windows, for example, Windows XP and Server 2003 are not able to read the new EVTX format. Some of the important points of interest are described in this document for quick and effective analysis. These points are presented with the respective Event IDs that are helpful to unfold a forensic investigation.
