Introduction to Event Log Analysis Part 1 — Windows Forensics Manual 2018

Lucideus
6 min readOct 26, 2018

--

Introduction

In an event of a forensic investigation, Windows Event Logs serve as the primary source of evidence as the operating system logs every system activities. Windows Event Log analysis can help an investigator draw a timeline based on the logging information and the discovered artifacts. The information that needs to be logged depends upon the audit features that are turned on which means that the event logs can be turned off with the administrative privileges. From the forensic point of view, the Event Logs catch a lot of data.

  • The Windows Event Logs are used in forensics to reconstruct a timeline of events.
  • The main three components of event logs are:
  • Application
  • System
  • Security
  • On Windows Operating System, Logs are saved in root location %System32%\winevt\Logs in a binary format.
  • Offline event log file size can be set by the user
  • When Maximum Log size is reached:
  • Oldest Events are Overwritten
  • Archive the Logs when full
  • If do not wish to overwrite the events, clear logs manually

In light of the research done, an event logging application was developed utilizing C# and the Microsoft .NET framework. RSA and AES encryption and HMAC hash are used to enhance the integrity of the data. The application is divided into three segments, an event logger which monitors particular records and folders inside a PC and notifies to the data archiving framework in an XML format, and an event viewer that shows the events in a readable format to the user.

Relevance

Due to the increasing number of computers and easily available internet connection, the crimes involving computers are increasing rapidly. Keeping this in mind, the researchers always try to find new and effective ways to find the evidence that can be presented in the court of law to prove or disprove the case.

Windows event logs were not considered accountable proof before some of the cases that were solved with the help of Windows Event Logs. The purpose of this post is to analyze Windows Event Logs for Artifacts from the Forensic perspective. How windows event logs are stored, how they can be useful in a forensic investigation and what are the tools that are used to analyze the Windows event logs. This post also covers some of the vulnerabilities that need to be considered before analysis.

Windows Event Logs

The purpose of this document is to break down Microsoft Windows event logs for artifacts that might be important to an investigator. How are specialists utilizing Windows event logs in forensic examinations? How do investigators approach the different sorts of breaches when gathering information from Windows event logs? What are the best procedures to analyze Windows event logs?

The Windows event logs are records filling in as a placeholder of all events on a computer machine, Network or Servers. This incorporates logs on particular events on the system, an application or the operating system. The Windows Event Logs help in recreating the timeline of events in order to assist an investigation. The type of events that are recorded can be any occurrence that affects the system:

  • An Incorrect Login Attempt,
  • A Hack, Breach, System Settings Modification,
  • An Application Failure,
  • System Failure etc.

All these events are logged in the “%System32%/Winevt/Log”. All Windows events incorporate data on the event, for example, the date and time, source, fault type, and a Unique ID for the event type.

The event logs contain an abundance of data, which enables an administrator to investigate and manage the system. The event Viewer utility on the Windows helps in analysis of the events on that machine. But for the forensic analysis, the investigator has to acquire the offline files of event logs which then will be analyzed by using third-party tools.

Main Event Logs

System Log

The System Log records events that are logged by the Operating System segments. These events are frequently pre-established by the working OS itself. System log files may contain data about hardware changes, device drivers, system changes, and all activities related to the machine. Because of increasing number of threats against networks and systems, the security logs variety has increased greatly.

Security Log

The Security Log contains Logon/Logoff activity and other activities related to windows security. These events are specified by the system’s audit policy. The security log is the best and last option to detect and investigate attempted and/or successful unauthorized activity. Event logs can also be used to troubleshoot problems in the system.

Application Log

The Application Log records application related events that are installed in the system. This records the errors that occur in an application, informational events, and warnings from the software applications. Using the Application log we can troubleshoot any software problem that prevents it from either logging in or functioning properly.

Other Important Event Logs

Some other windows event logs that should be monitored besides three main Event Logs:

  • Directory Service Events — Domain controllers record any Active Directory changes.
  • File Replication Service Events — For File Replication service events; Sysvol changes
  • DNS Events — DNS servers record DNS specific events

Windows Event Log Vulnerabilities

  • It is possible to disable the event log service in Windows
  • Important data can be modified such as Date and Time, Computer Name, and Usernames
  • Event logs from one machine can be transplanted into another machine
  • When the logs are generated, the time stamp uses internal host clock which can affect logs if it is inaccurate.

To modify the event log involves having access to the Security Event Log record and after that, the information contained inside can be altered. Consequently, if the Event Log records could be monitored for any duplicating, written work or erasing then one might say that it is possible to underline the possible attack on the integrity of its information.

By using the Windows Registry, we can observe if the Event Logs had been changed or disabled. Based on these discoveries the system can be designed to be resilient or invulnerable. It will prohibit any physical access to the event logs and will likewise create a hash signature that will highlight if any changes have been made.

Solutions For Vulnerability

  • Restrict the Physical Access to any Outsider
  • Store Daily Backup of the System Logs
  • Time Stamping vulnerability can be solved by using a single time-stamping device in a network which can increase the accuracy and integrity of the events.
  • A Public Key Infrastructure server is used to authenticate the system users so that the fake events cannot be injected.

List of Tools Used to Parse Event Logs

  • LogParser
  • Event Log Explorer
  • ManageEngine Event Log Analyzer
  • LOGAlyze
  • SolarWinds Event & Log Manager
  • NetVizura EventLog Analyzer
  • GrayLog
  • LogCheck

Forensic Procedures to Acquire Windows Event Logs

The Windows Event Logs are stored in Binary XML format in the system which is unreadable to the user without any proper tool. However, Windows has a built-in feature that converts the events into a readable format which helps in troubleshooting any problem that occurs in the system. These logs are stored in the Hard Drive and are Non-Volatile which means they can be accessed even if the machine is powered off.

In Windows 10 Operating System, by default, the event logs are stored in the directory “%Windows%System32/Winevt/Logs” which can be changed by the user by modifying Windows Registry Location “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog”. Whereas, in Windows XP, Event logs are stored at “%Windows%System32/config/*.evt”.

Figure 1: Default Location of Windows Event Logs in the System
Figure 2: Windows Event Logs Location in Windows Registry

Conclusion

Windows Event Logs are very essential from the Digital Forensic perspective because they store each and every event that happens in the Operating System. When a system is compromised by an unauthenticated user, it takes several steps and procedures to get access to the system. These steps can be used to trace back to the suspect. The incident response team is responsible for capturing the important artifacts for further analysis. Event logs are stored in offline physical files in the system root directory.

The Event Logs are categorized into different categories such as application, system, and security with different levels of severity. Other events such as network events are also logged in their separate files in the system. These files can be obtained manually or by using other utility tools. The importance and analysis procedures are described in the second part of this document. In the next part of this document, we have described some of the most important points of interest with event log IDs that are helpful when investigating for potential pieces of evidence in the compromised system.

--

--