Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.

Published byBlaze Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs."— Presentation transcript:

1 Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs

2 Chapter Topics: Using EnCase to Examine Windows Event Logs Files Understanding Internal Structures of Event Log Repairing corrupt event log files Finding & analyzing event log fragments

3 Using EnCase to Examine Windows Event Logs Files EnCase EnScript Windows Event Log Parser Parses raw data and does NOT rely upon Window API Output format –Bookmarks –Export to spreadsheet

4 EnCase Windows Event Log Parser User Interface

5 EnCase Windows Event Log Parser Spreadsheet Output

6 WinXP Event Log Internals Databases of event records Event types segregated into 3 files or database –SysEvent.evt –SecEvent.evt –AppEvent.evt

7 Event Log Internals Each file or database has three parts –Header –Records –Floating footer

8 Header

9 Event Log Record

10 Floating Footer

11 Repairing corrupt event log files Header byte offsets 16-31 (16-19, 20-23, 24-27, & 28-31) represent: –Offset to oldest event –Offset to next event –Event ID of next event –Event ID of oldest event

12 Repairing corrupt event log files Floating footer byte offsets 20-35 (20-23, 24-27, 28-31, & 32-35) represent: –Offset to oldest event –Offset to next event –Event ID of next event –Event ID of oldest event

13 Repairing corrupt event log files Floating footer contains “real-time” data while header is updated during normal shutdown of event log service Byte offset 36 of header contains an odd value (09, 0B, etc) if update has NOT occurred, while an even value (08, 00, etc) indicates update has occurred

14 Repairing corrupt event log files Event viewer (also other Windows API viewers) requires byte offset 36 be even, otherwise corrupt log message occurs. Pulling plug, copying live event logs result in a file with floating footer NOT being updated and odd value for byte offset 36, hence error message when opening such logs with Event Viewer

15 Error Message!

16 Repairing corrupt event log files The “fix” is to: –Copy floating footer byte offsets 20- 35 –Paste to header byte offsets 16-31 –Change header byte offset 36 to even value such as 00 –Save –Open with event viewer!

17 Windows Vista + Event Log Internals

18 Windows Vista + Event Log Header

19

20 Windows Vista + Event Chunk Header

21

22 Windows Vista + Event Record

23

24 Windows Vista+ Event Logs Do not corrupt like EVT files do No floating footer Chunks are standalone units

25 Finding & Recovering Event Logs When event log is cleared, data is NOT overwritten. In some cases, new data is written to a new starting cluster! Event logs are very recoverable Locate event records by their header

26 Finding & Recovering Event Logs (Win XP) Starting with the header, select block of contiguous event record data. Export this data out as a file with an “evt” extension and name of your choosing Bring into EnCase as a single file(s). Select those files Process them with EnCase Windows Event Log Parser

27 Finding & Recovering Event Logs (Win Vista +) Starting with the header, select block of contiguous event record data. Export this data out as a file with an “evtx” extension and name of your choosing Bring into EnCase as a single file(s). Select those files Process them with EnCase Windows Event Log Parser

28 Finding & Recovering Event Logs (Win Vista +) For incomplete files, you can use various tools available for free for parsing Event Log Chunks individually For a free application see: http://computer.forensikblog.de/en/20 11/11/evtx_parser_1_1_0.html http://computer.forensikblog.de/en/20 11/11/evtx_parser_1_1_0.html

Download ppt "Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs."

Similar presentations

RefWorks in 15 Minutes. Agenda 1)Create an account 2)Export references 3)Create a new folder 4)Organize references into a folder 5)Import references 6)Create.

RefWorks in 15 Minutes. Agenda 1)Create an account 2)Export references 3)Create a new folder 4)Organize references into a folder 5)Import references 6)Create.
IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
DAT2343 File Storage and Access © Alan T. Pinck / Algonquin College; 2003.

DAT2343 File Storage and Access © Alan T. Pinck / Algonquin College; 2003.
Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
BePunctual Employee Time & Attendance (T&A) System User Guide.

BePunctual Employee Time & Attendance (T&A) System User Guide.
Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.

Windows Vista Serious Challenges for Digital Investigators Authors: Darren Hayes Shareq Qureshi Presented By: Prerna Gupta.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 10: Collect and Analyze Performance Data.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 10: Collect and Analyze Performance Data.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.

Chapter 16 Chapter 16: Troubleshooting. Chapter 16 Learning Objectives n Develop your own problem-solving strategy n Use the Event Viewer to locate and.
11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.

11 MONITORING MICROSOFT WINDOWS SERVER 2003 Chapter 3.
A Visual Introduction to PC SAS. Start SAS by double-clicking on the SAS icon...

A Visual Introduction to PC SAS. Start SAS by double-clicking on the SAS icon...
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.

File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Using the Windows Event Viewer and Task Scheduler Chapter 5.

Using the Windows Event Viewer and Task Scheduler Chapter 5.
Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:

Hard Drive Formatting 1. Formatting Once a hard drive has been partitioned, there’s one more step you must perform before your OS can use that drive:
Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.

Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.

Similar presentations

Ads by Google