File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata

Event Logs Logging Events Events Logging Events Event Log Format Event Record Structure Various Logs

Usual Event Logs Application Log of application errors, warnings and information Security Dropped Packets, Successful Connections Logon/Logoffs System Various device events

Registry References - XP

Windows 7 Location of logs

Event Log Location - XP

Event Log Location Vista, Win7 C:Windows->System32->winevt->Logs

Location of Event Logs

App & System Logging On by default Log size is 512 KB by default Written by the application

Security Logging - XP Not on by default Log size is 512 KB by default Control Panel Admin tools -> Local Security Policy

Security Logging Windows 7

Log Viewer Event Viewer Control Panel -> Administrative Tools -> Event Viewer Application, Security and System logs available Event Properties DTG of the event Important for some timelines

App Log

System Log

Security Log Success

Security Log Failure

Windows 7

Event Viewer Convenient and pretty Works only on live systems Does not work on a forensics image We have to parse the event logs

Event Logs Binary Structure Header and a series of records Event ID formats vent.aspx?eventid=528 Application logs are vendor specific EventID.net is a good source for this info - $$$ blogs.msdn.com/ericfiz/default.aspx

Event Log Configuration XP Held in registry keys

Windows 7

Registry Viewer Event message

Event Log File Format XP only Event Log Header – 12 DWORD values Event Records – Variable length Windows 7 & Vista sta_Event_Log.pdfhttp://computer.forensikblog.de/files/talks/SANS_Summit_Vi sta_Event_Log.pdf

OffsetSizeDescription 04 bytesSize of the record (Header = 0x30, Event = 0xF4) 44 bytesMagic number 0x4C 66 4C 65 = LfLe 164 bytesOffset within the.evt file of the oldest event record 204 bytesOffset within the.evt file of the next event record to be written 244 bytesID of the next event record 284 bytesID of the oldest event record 324 bytesMaximum size of the.evt file (from the registry) 404 bytesRetention time of event records (from the registry) 444 bytesSize of the record (repeat of the first DWORD) Event Log Header Structure

OffsetSizeDescription 04 bytesSize of the record (Header = 0x30, Event = 0xF4) 44 bytesMagic number 0x4C 66 4C 65 = LfLe 84 bytesRecord Number 124 bytesTime Generated 164 bytesTime written 204 bytesEvent ID – Locates message file/dll/exe 242 bytesEvent type (0x01 = error, 0x10 = Failure, 0x08 – Success, 0x04 = Info, 0x02 = Warning 262 bytesNumber of strings 282 bytesEvent category 302 bytesReserved flags 324 bytesClosing record number 364 bytesString offset 404 bytesLength of user SSID 444 bytesOffset to the user SID within this event record 484 bytesData length; length of the binary data associated with this event record 524 bytesOffset to data Event Record Structure

Carvey’s Help Best not to depend on the Window’s API to read the Event files They can be corrupted May miss the next to be over written Provides summary stats Provides output readable in Excel

evtstats.exe Lots of events

lsevt.exe Entry for each of the 2464 Event Records

lsevt2.exe Entry for each of the 2464 Event Records Puts it into an Excel readable format lsevt –f event_file –c > save_file.csv

Excel – Open.csv file

Change Format Choose Delimited

Identify Separators Harlan’s stuff is separated by semicolons. With Perl knowledge you could change it.

Excel Manipulatible

Information

Other Logs IE Browsing History Set Up XP Firewall Recycle Bin Shortcut Files

IE Browsing History Index.dat files DiscoverPro NetAnalysis Index dat spy SuperWinSpy Be careful !!!

NetAnalysis

Set Up Logs Setuplog.txt Setupact.log SetupAPI.log Netsetup.log

Setuplog.txt C:\WINDOWS

Setupact.log C:\WINDOWS

SetupAPI.log C:\WINDOWS

NetSetup.log c:\Winodws\Debug

Task Scheduler Log SchedLgU.txt

Enabling Firewall Logging Control Panel -> Security Center -> Windows Firewall -> Advanced Follow your nose

Firewall Log C:\WINDOWS\pfirewall.log

Recycle Bin C:\RECYCLER Each user gets his own folder Use the user’s SID Each has its own INFO2 file

Recycle Bin

recbin.exe

INFO2 File Structure Header 16 bytes Final 4 bytes (DWORD) is the size of each record 0x320 (little endian) = 800 bytes Records Record # at offset 264 within the record Drive designator at offset = C:\, 3=D:\, etc File size in clusters at offset 280

Open INFO2 in WinHex Very hard File -> Open Navigate to C:\RECYCLER Open it Select a SID file Open it. It may say you don’t have privileges Type \INFO2 Try again! Maybe

INFO2 Record Size Record size 0x00320 = Drive indicator 0x0002 Size in clusters 0x0001

File Metadata MAC Times OS - OSActionFromToCreate timeModification time FAT to FATCopyC:\ UpdatedUnchanged FAT to FATMoveC:\ Unchanged FAT to NTFSCopyUpdatedUnchanged FAT to NTFSMoveUnchanged NTFS to NTFSCopyC:\ UpdatedUnchanged NTFS to NTFSMoveC:\ Unchanged

Word Documents Document location Statistics Magic number Version and Language Last 10 authors MACPS times Modified, accessed, created, printed, saved

MeargeStreams Insert a spreadsheet into a word document Call it.doc – you see the Word document Call it.xls – you see the spreadsheet All sorts of uses Smuggling out forecasts Sharing pictures on the corporate server

PDF Files Similar metadata as Word docs. Easily accessed File -> Properties

Image Files exif Data

Original Photo off of the camera After Photoshop manipulation

Tweet Metadata

ADS – Alternative Data Streams Native to NTFS Permits data file to contain scripts, or executable code No NT native tools to detect them Native tools to create and launch them