Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.

Slides:



Advertisements
Similar presentations
RefWorks in 15 Minutes. Agenda 1)Create an account 2)Export references 3)Create a new folder 4)Organize references into a folder 5)Import references 6)Create.
Advertisements

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
DAT2343 File Storage and Access © Alan T. Pinck / Algonquin College; 2003.
Intro to WinHex CSC 414.
BePunctual Employee Time & Attendance (T&A) System User Guide.
Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 10: Collect and Analyze Performance Data.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
A Visual Introduction to PC SAS. Start SAS by double-clicking on the SAS icon...
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.
Maintaining and Updating Windows Server 2008
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Using the Windows Event Viewer and Task Scheduler Chapter 5.
Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:
Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
CONTENTS:-  What is Event Log Service ?  Types of event logs and their purpose.  How and when the Event Log is useful?  What is Event Viewer?  Briefing.
DEMONSTRATION FOR SIGMA DATA ACQUISITION MODULES Tempatron Ltd Data Measurements Division Darwin Close Reading RG2 0TB UK T : +44 (0) F :
Mastering Windows Network Forensics and Investigation Chapter 11: Text Based Logs.
COMPUTER FUNDAMENTALS David Samuel Bhatti
M ONITORING SERVER PERFORMANCE Unit objectives Use Task Manager to monitor server performance and resource usage Use Event Viewer to identify and troubleshoot.
Virtual Memory Tuning   You can improve a server’s performance by optimizing the way the paging file is used   You may want to size the paging file.
Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs.
16 Copyright © 2007, Oracle. All rights reserved. Performing Database Recovery.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.
Active Directory Maintenance, Troubleshooting, and Disaster Recovery Lesson 11.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
 Most current version 1.3  Will review some basic and advanced portions of the software  Only have 50 minutes including questions  Please write down.
Using Event Viewer Event Levels Creating Custom Views Windows Logs Monitoring Performance.
Vinay Paul. CONTENTS:- What is Event Log Service ? Types of event logs and their purpose. How and when the Event Log is useful? What is Event Viewer?
Module 10: Preparing to Monitor Server Performance.
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
CE Operating Systems Lecture 17 File systems – interface and implementation.
By: Gia Vuong Riyad Mahmud Narsimha Kalthy.  What is Mahara?  Logging into the ACS Portfolio  Using Mahara to Manage: ◦ Files ◦ Blogs ◦ External Feeds.
L Identify the “out-of-the-box” audit settings l Identify recommended minimum audit settings l Configure security event log settings to meet recommendations.
1 Chapter Overview Monitoring Access to Shared Folders Creating and Sharing Local and Remote Folders Monitoring Network Users Using Offline Folders and.
Hyper-V Recovery Software Ideal Application to Get Data from VHD v2.1.
Microsoft Exchange Recovery Microsoft Exchange Recovery is a all-in-one and comprehensive solution for Repair corrupt EDB file & brings back harm EDB file.
get-back-bkf-files alexwaston14/file-repair-tool/ u/4/b/ pages/Bkffilerepairtool/
Unit 10 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/24/2016 Instructor: Williams Obinkyereh.
Maintaining and Updating Windows Server 2008 Lesson 8.
Agenda for Today  DATABASE Definition What is DBMS? Types Of Database Most Popular Primary Database  SQL Definition What is SQL Server? Versions Of SQL.
Event Log Cluster service includes event data in the Windows 2000 system log.
MONITORING MICROSOFT WINDOWS SERVER 2003
Digital Forensics 2 Lecture 2: Understanding steganography in graphic files Presented by : J.Silaa Lecture: FCI Based on Guide to Computer Forensics and.
Chapter 5 EnCase Concepts.
Fix AOL Mail Error Code 80072f30 Call for Help
Integrating Word, Excel, and Access
Fix QuickBooks Error Code 6190, 816 Call
Unit 10 NT1330 Client-Server Networking II Date: 8/16/2016
Registry 101 Registry 201 SAM artifacts
Chapter 3: Windows7 Part 3.
Optimizing Disks CGS2564.
Performing Database Recovery
SYSTEM ACTIVITY MONITORING
1.3 Given a scenario, apply appropriate Microsoft command line tools
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs

Chapter Topics: Using EnCase to Examine Windows Event Logs Files Understanding Internal Structures of Event Log Repairing corrupt event log files Finding & analyzing event log fragments

Using EnCase to Examine Windows Event Logs Files EnCase EnScript Windows Event Log Parser Parses raw data and does NOT rely upon Window API Output format –Bookmarks –Export to spreadsheet

EnCase Windows Event Log Parser User Interface

EnCase Windows Event Log Parser Spreadsheet Output

WinXP Event Log Internals Databases of event records Event types segregated into 3 files or database –SysEvent.evt –SecEvent.evt –AppEvent.evt

Event Log Internals Each file or database has three parts –Header –Records –Floating footer

Header

Event Log Record

Floating Footer

Repairing corrupt event log files Header byte offsets (16-19, 20-23, 24-27, & 28-31) represent: –Offset to oldest event –Offset to next event –Event ID of next event –Event ID of oldest event

Repairing corrupt event log files Floating footer byte offsets (20-23, 24-27, 28-31, & 32-35) represent: –Offset to oldest event –Offset to next event –Event ID of next event –Event ID of oldest event

Repairing corrupt event log files Floating footer contains “real-time” data while header is updated during normal shutdown of event log service Byte offset 36 of header contains an odd value (09, 0B, etc) if update has NOT occurred, while an even value (08, 00, etc) indicates update has occurred

Repairing corrupt event log files Event viewer (also other Windows API viewers) requires byte offset 36 be even, otherwise corrupt log message occurs. Pulling plug, copying live event logs result in a file with floating footer NOT being updated and odd value for byte offset 36, hence error message when opening such logs with Event Viewer

Error Message!

Repairing corrupt event log files The “fix” is to: –Copy floating footer byte offsets –Paste to header byte offsets –Change header byte offset 36 to even value such as 00 –Save –Open with event viewer!

Windows Vista + Event Log Internals

Windows Vista + Event Log Header

Windows Vista + Event Chunk Header

Windows Vista + Event Record

Windows Vista+ Event Logs Do not corrupt like EVT files do No floating footer Chunks are standalone units

Finding & Recovering Event Logs When event log is cleared, data is NOT overwritten. In some cases, new data is written to a new starting cluster! Event logs are very recoverable Locate event records by their header

Finding & Recovering Event Logs (Win XP) Starting with the header, select block of contiguous event record data. Export this data out as a file with an “evt” extension and name of your choosing Bring into EnCase as a single file(s). Select those files Process them with EnCase Windows Event Log Parser

Finding & Recovering Event Logs (Win Vista +) Starting with the header, select block of contiguous event record data. Export this data out as a file with an “evtx” extension and name of your choosing Bring into EnCase as a single file(s). Select those files Process them with EnCase Windows Event Log Parser

Finding & Recovering Event Logs (Win Vista +) For incomplete files, you can use various tools available for free for parsing Event Log Chunks individually For a free application see: 11/11/evtx_parser_1_1_0.html 11/11/evtx_parser_1_1_0.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.