1. File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata

2. Event Logs Logging Events Events Logging Events Event Log Format Event Record Structure Various Logs

3. Usual Event Logs Application Log of application errors, warnings and information Security Dropped Packets, Successful Connections Logon/Logoffs System Various device events

4. Registry References - XP

5. Windows 7 Location of logs

6. Event Log Location - XP

7. Event Log Location Vista, Win7 C:Windows->System32->winevt->Logs

8. Location of Event Logs

9. App & System Logging On by default Log size is 512 KB by default Written by the application

10. Security Logging - XP Not on by default Log size is 512 KB by default Control Panel Admin tools -> Local Security Policy

11. Security Logging Windows 7

12. Log Viewer Event Viewer Control Panel -> Administrative Tools -> Event Viewer Application, Security and System logs available Event Properties DTG of the event Important for some timelines

13. App Log

14. System Log

15. Security Log Success

16. Security Log Failure

17. Windows 7

20. Event Viewer Convenient and pretty Works only on live systems Does not work on a forensics image We have to parse the event logs

21. Event Logs Binary Structure Header and a series of records Event ID formats http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/e vent.aspx?eventid=528 Application logs are vendor specific EventID.net is a good source for this info - $$$ blogs.msdn.com/ericfiz/default.aspx www.microsoft.com/technet/support/ee/ee_advanced.aspx

22. Event Log Configuration XP Held in registry keys

23. Windows 7

24. Registry Viewer Event message

25. Event Log File Format XP only Event Log Header – 12 DWORD values Event Records – Variable length Windows 7 & Vista http://www.dfrws.org/2007/proceedings/p65-schuster.pdf http://computer.forensikblog.de/files/talks/SANS_Summit_Vi sta_Event_Log.pdfhttp://computer.forensikblog.de/files/talks/SANS_Summit_Vi sta_Event_Log.pdf

26. OffsetSizeDescription 04 bytesSize of the record (Header = 0x30, Event = 0xF4) 44 bytesMagic number 0x4C 66 4C 65 = LfLe 164 bytesOffset within the.evt file of the oldest event record 204 bytesOffset within the.evt file of the next event record to be written 244 bytesID of the next event record 284 bytesID of the oldest event record 324 bytesMaximum size of the.evt file (from the registry) 404 bytesRetention time of event records (from the registry) 444 bytesSize of the record (repeat of the first DWORD) Event Log Header Structure

27. OffsetSizeDescription 04 bytesSize of the record (Header = 0x30, Event = 0xF4) 44 bytesMagic number 0x4C 66 4C 65 = LfLe 84 bytesRecord Number 124 bytesTime Generated 164 bytesTime written 204 bytesEvent ID – Locates message file/dll/exe 242 bytesEvent type (0x01 = error, 0x10 = Failure, 0x08 – Success, 0x04 = Info, 0x02 = Warning 262 bytesNumber of strings 282 bytesEvent category 302 bytesReserved flags 324 bytesClosing record number 364 bytesString offset 404 bytesLength of user SSID 444 bytesOffset to the user SID within this event record 484 bytesData length; length of the binary data associated with this event record 524 bytesOffset to data Event Record Structure

28. Carvey’s Help Best not to depend on the Window’s API to read the Event files They can be corrupted May miss the next to be over written Provides summary stats Provides output readable in Excel

29. evtstats.exe Lots of events

30. lsevt.exe Entry for each of the 2464 Event Records

31. lsevt2.exe Entry for each of the 2464 Event Records Puts it into an Excel readable format lsevt –f event_file –c > save_file.csv

32. Excel – Open.csv file

33. Change Format Choose Delimited

34. Identify Separators Harlan’s stuff is separated by semicolons. With Perl knowledge you could change it.

35. Excel Manipulatible

36. Information

37. Other Logs IE Browsing History Set Up XP Firewall Recycle Bin Shortcut Files

38. IE Browsing History Index.dat files DiscoverPro NetAnalysis Index dat spy SuperWinSpy Be careful !!!

39. NetAnalysis

40. Set Up Logs Setuplog.txt Setupact.log SetupAPI.log Netsetup.log

41. Setuplog.txt C:\WINDOWS

42. Setupact.log C:\WINDOWS

43. SetupAPI.log C:\WINDOWS

44. NetSetup.log c:\Winodws\Debug

45. Task Scheduler Log SchedLgU.txt

46. Enabling Firewall Logging Control Panel -> Security Center -> Windows Firewall -> Advanced Follow your nose

47. Firewall Log C:\WINDOWS\pfirewall.log

48. Recycle Bin C:\RECYCLER Each user gets his own folder Use the user’s SID Each has its own INFO2 file

49. Recycle Bin

50. recbin.exe

51. INFO2 File Structure Header 16 bytes Final 4 bytes (DWORD) is the size of each record 0x320 (little endian) = 800 bytes Records Record # at offset 264 within the record Drive designator at offset 268 2 = C:\, 3=D:\, etc File size in clusters at offset 280

52. Open INFO2 in WinHex Very hard File -> Open Navigate to C:\RECYCLER Open it Select a SID file Open it. It may say you don’t have privileges Type \INFO2 Try again! Maybe

53. INFO2 Record Size Record size 0x00320 = 800 10 Drive indicator 0x0002 Size in clusters 0x0001

54. File Metadata MAC Times OS - OSActionFromToCreate timeModification time FAT to FATCopyC:\ UpdatedUnchanged FAT to FATMoveC:\ Unchanged FAT to NTFSCopyUpdatedUnchanged FAT to NTFSMoveUnchanged NTFS to NTFSCopyC:\ UpdatedUnchanged NTFS to NTFSMoveC:\ Unchanged

55. Word Documents Document location Statistics Magic number Version and Language Last 10 authors MACPS times Modified, accessed, created, printed, saved

56. MeargeStreams Insert a spreadsheet into a word document Call it.doc – you see the Word document Call it.xls – you see the spreadsheet All sorts of uses Smuggling out forecasts Sharing pictures on the corporate server

57. PDF Files Similar metadata as Word docs. Easily accessed File -> Properties

58. Image Files exif Data

60. Original Photo off of the camera After Photoshop manipulation

61. Tweet Metadata

62. ADS – Alternative Data Streams Native to NTFS Permits data file to contain scripts, or executable code No NT native tools to detect them Native tools to create and launch them