Download presentation
Presentation is loading. Please wait.
1
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata
2
Event Logs Logging Events Events Logging Events Event Log Format Event Record Structure Various Logs
3
Usual Event Logs Application Log of application errors, warnings and information Security Dropped Packets, Successful Connections Logon/Logoffs System Various device events
4
Registry References - XP
5
Windows 7 Location of logs
6
Event Log Location - XP
7
Event Log Location Vista, Win7 C:Windows->System32->winevt->Logs
8
Location of Event Logs
9
App & System Logging On by default Log size is 512 KB by default Written by the application
10
Security Logging - XP Not on by default Log size is 512 KB by default Control Panel Admin tools -> Local Security Policy
11
Security Logging Windows 7
12
Log Viewer Event Viewer Control Panel -> Administrative Tools -> Event Viewer Application, Security and System logs available Event Properties DTG of the event Important for some timelines
13
App Log
14
System Log
15
Security Log Success
16
Security Log Failure
17
Windows 7
20
Event Viewer Convenient and pretty Works only on live systems Does not work on a forensics image We have to parse the event logs
21
Event Logs Binary Structure Header and a series of records Event ID formats http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/e vent.aspx?eventid=528 Application logs are vendor specific EventID.net is a good source for this info - $$$ blogs.msdn.com/ericfiz/default.aspx www.microsoft.com/technet/support/ee/ee_advanced.aspx
22
Event Log Configuration XP Held in registry keys
23
Windows 7
24
Registry Viewer Event message
25
Event Log File Format XP only Event Log Header – 12 DWORD values Event Records – Variable length Windows 7 & Vista http://www.dfrws.org/2007/proceedings/p65-schuster.pdf http://computer.forensikblog.de/files/talks/SANS_Summit_Vi sta_Event_Log.pdfhttp://computer.forensikblog.de/files/talks/SANS_Summit_Vi sta_Event_Log.pdf
26
OffsetSizeDescription 04 bytesSize of the record (Header = 0x30, Event = 0xF4) 44 bytesMagic number 0x4C 66 4C 65 = LfLe 164 bytesOffset within the.evt file of the oldest event record 204 bytesOffset within the.evt file of the next event record to be written 244 bytesID of the next event record 284 bytesID of the oldest event record 324 bytesMaximum size of the.evt file (from the registry) 404 bytesRetention time of event records (from the registry) 444 bytesSize of the record (repeat of the first DWORD) Event Log Header Structure
27
OffsetSizeDescription 04 bytesSize of the record (Header = 0x30, Event = 0xF4) 44 bytesMagic number 0x4C 66 4C 65 = LfLe 84 bytesRecord Number 124 bytesTime Generated 164 bytesTime written 204 bytesEvent ID – Locates message file/dll/exe 242 bytesEvent type (0x01 = error, 0x10 = Failure, 0x08 – Success, 0x04 = Info, 0x02 = Warning 262 bytesNumber of strings 282 bytesEvent category 302 bytesReserved flags 324 bytesClosing record number 364 bytesString offset 404 bytesLength of user SSID 444 bytesOffset to the user SID within this event record 484 bytesData length; length of the binary data associated with this event record 524 bytesOffset to data Event Record Structure
28
Carvey’s Help Best not to depend on the Window’s API to read the Event files They can be corrupted May miss the next to be over written Provides summary stats Provides output readable in Excel
29
evtstats.exe Lots of events
30
lsevt.exe Entry for each of the 2464 Event Records
31
lsevt2.exe Entry for each of the 2464 Event Records Puts it into an Excel readable format lsevt –f event_file –c > save_file.csv
32
Excel – Open.csv file
33
Change Format Choose Delimited
34
Identify Separators Harlan’s stuff is separated by semicolons. With Perl knowledge you could change it.
35
Excel Manipulatible
36
Information
37
Other Logs IE Browsing History Set Up XP Firewall Recycle Bin Shortcut Files
38
IE Browsing History Index.dat files DiscoverPro NetAnalysis Index dat spy SuperWinSpy Be careful !!!
39
NetAnalysis
40
Set Up Logs Setuplog.txt Setupact.log SetupAPI.log Netsetup.log
41
Setuplog.txt C:\WINDOWS
42
Setupact.log C:\WINDOWS
43
SetupAPI.log C:\WINDOWS
44
NetSetup.log c:\Winodws\Debug
45
Task Scheduler Log SchedLgU.txt
46
Enabling Firewall Logging Control Panel -> Security Center -> Windows Firewall -> Advanced Follow your nose
47
Firewall Log C:\WINDOWS\pfirewall.log
48
Recycle Bin C:\RECYCLER Each user gets his own folder Use the user’s SID Each has its own INFO2 file
49
Recycle Bin
50
recbin.exe
51
INFO2 File Structure Header 16 bytes Final 4 bytes (DWORD) is the size of each record 0x320 (little endian) = 800 bytes Records Record # at offset 264 within the record Drive designator at offset 268 2 = C:\, 3=D:\, etc File size in clusters at offset 280
52
Open INFO2 in WinHex Very hard File -> Open Navigate to C:\RECYCLER Open it Select a SID file Open it. It may say you don’t have privileges Type \INFO2 Try again! Maybe
53
INFO2 Record Size Record size 0x00320 = 800 10 Drive indicator 0x0002 Size in clusters 0x0001
54
File Metadata MAC Times OS - OSActionFromToCreate timeModification time FAT to FATCopyC:\ UpdatedUnchanged FAT to FATMoveC:\ Unchanged FAT to NTFSCopyUpdatedUnchanged FAT to NTFSMoveUnchanged NTFS to NTFSCopyC:\ UpdatedUnchanged NTFS to NTFSMoveC:\ Unchanged
55
Word Documents Document location Statistics Magic number Version and Language Last 10 authors MACPS times Modified, accessed, created, printed, saved
56
MeargeStreams Insert a spreadsheet into a word document Call it.doc – you see the Word document Call it.xls – you see the spreadsheet All sorts of uses Smuggling out forecasts Sharing pictures on the corporate server
57
PDF Files Similar metadata as Word docs. Easily accessed File -> Properties
58
Image Files exif Data
60
Original Photo off of the camera After Photoshop manipulation
61
Tweet Metadata
62
ADS – Alternative Data Streams Native to NTFS Permits data file to contain scripts, or executable code No NT native tools to detect them Native tools to create and launch them
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.