SlideShare uma empresa Scribd logo

Windows 7 forensics event logs-dtl-r3

CTIN
CTIN
Tecnologia
1 de 49
Baixar para ler offline
Digital Forensics and Windows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
Introduction Vista/Windows 7 Event Logging: • New format *.evtx. • More, many more, event log files. • New system for collecting and displaying events. • New security event numbering.
Windows Event Logs Before Vista—Event Log. Vista to present—Windows Event • The big three: Log. – System. • The big three: – Security. – System. – Application. – Security. • Binary file, .evt. – Application. • WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.* • Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. http://msdn.microsoft.com/en- http://msdn.microsoft.com/en- us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx *http://computer.forensikblog.de/en/topics/windows/vista_event_log/
Windows Event Logs C:WindowsSystem32winevtLogs
Windows Event Logs What is an event log?
Windows Event Logs An event log is more than its .evtx file. • The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs. • The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
From *.evtx to Event Log Registry: HKLMSYSTEMControlSet001serviceseventlog *.evtx file MessageFile.dll Event Viewer
Windows Event Logs • Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
Windows Event Logs • Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
Windows Event Logs • Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
Windows Event Logs • Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
Windows Event Logs • Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
Windows Event Logs • Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values. HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator • The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
Windows Event Logs • Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
Windows Event Logs Working with the Windows 7 Event Viewer
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
Windows Event Logs • Start by selecting the event source, as this will populate the other choices.
Windows Event Logs • Next, focus on Task categories—here, selecting logon and logoff.
Windows Event Logs • Finally, Keywords, here selecting Audit Failure and Audit Success.
Windows Event Logs The filtered view.
Windows Event Logs And now, the event logs.
Windows Event Logs • System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events. http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs • Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
Windows Event Logs
Windows Event Logs
Windows Event Logs • Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
Windows Event Logs 9 audit categories.
Windows Event Logs Clicking on an audit category can provide you with an explanation of what the category audits.
Windows Event Logs http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3A15B562-4650-4298-9745-D9B261F35814&displaylang=en
Windows Event Logs
Windows Event Logs http://support.microsoft.com/kb/977519
Windows Event Logs Further Information: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx http://blogs.msdn.com/b/ericfitz/
Windows Event Logs All those other logs.
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs
Windows Event Logs • Emphasis: Usually on Security Events, but other event logs may have more to offer. • Event log are not typically the primary evidence. – Often too noisy. • Best used when other facts fix times, or implicate specific accounts or computers. • Often, most useful in a timeline with other items of significance.
Windows Event Logs

Recomendados

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano ForensicsChiawei Wang
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 

Recomendados

Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Stegano Forensics
Stegano ForensicsStegano Forensics
Stegano ForensicsChiawei Wang
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensicsPrince Boonlia
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics nullowaspmumbai
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session ManagementGuidePoint Security, LLC
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Syslog
SyslogSyslog
SyslogSangJung Woo
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 

Mais conteúdo relacionado

Mais procurados

Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 

Mais procurados (20)

Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics print
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Syslog
SyslogSyslog
Syslog
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 

Destaque

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Mark Matienzo
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!Nearpod
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGEduardo Chavarro
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
Edrm
EdrmEdrm
EdrmCTIN
 

Destaque (20)

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
File system
File systemFile system
File system
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Raidprep
RaidprepRaidprep
Raidprep
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Edrm
EdrmEdrm
Edrm
 

Semelhante a Windows 7 forensics event logs-dtl-r3

williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfVinceVulpes
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfableelectronics
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfsagaraccura
 
Top 10 Tricks and Tools of an Oracle EPM Administrator
Top 10 Tricks and Tools of an Oracle EPM AdministratorTop 10 Tricks and Tools of an Oracle EPM Administrator
Top 10 Tricks and Tools of an Oracle EPM Administratornking821
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 

Semelhante a Windows 7 forensics event logs-dtl-r3 (20)

williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdf
 
LDAP-prepare.pptx
LDAP-prepare.pptxLDAP-prepare.pptx
LDAP-prepare.pptx
 
LDAP-prepare.pptx
LDAP-prepare.pptxLDAP-prepare.pptx
LDAP-prepare.pptx
 
File000138
File000138File000138
File000138
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdf
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Top 10 Tricks and Tools of an Oracle EPM Administrator
Top 10 Tricks and Tools of an Oracle EPM AdministratorTop 10 Tricks and Tools of an Oracle EPM Administrator
Top 10 Tricks and Tools of an Oracle EPM Administrator
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 

Mais de CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Nra
NraNra
NraCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Networking Overview
Networking OverviewNetworking Overview
Networking OverviewCTIN
 
M Compevid
M CompevidM Compevid
M CompevidCTIN
 
L Scope
L ScopeL Scope
L ScopeCTIN
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The DayCTIN
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In ComputingCTIN
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsCTIN
 
K Ai
K AiK Ai
K AiCTIN
 
July132000
July132000July132000
July132000CTIN
 
Investigative Team
Investigative TeamInvestigative Team
Investigative TeamCTIN
 

Mais de CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Networking Overview
Networking OverviewNetworking Overview
Networking Overview
 
M Compevid
M CompevidM Compevid
M Compevid
 
L Scope
L ScopeL Scope
L Scope
 
Level1 Part8 End Of The Day
Level1 Part8 End Of The DayLevel1 Part8 End Of The Day
Level1 Part8 End Of The Day
 
Law Enforcement Role In Computing
Law Enforcement Role In ComputingLaw Enforcement Role In Computing
Law Enforcement Role In Computing
 
Level1 Part7 Basic Investigations
Level1 Part7 Basic InvestigationsLevel1 Part7 Basic Investigations
Level1 Part7 Basic Investigations
 
K Ai
K AiK Ai
K Ai
 
July132000
July132000July132000
July132000
 
Investigative Team
Investigative TeamInvestigative Team
Investigative Team
 

Último

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

Windows 7 forensics event logs-dtl-r3

  • 1. Digital Forensics and Windows 7 Event Logs Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  • 2. Introduction Vista/Windows 7 Event Logging: • New format *.evtx. • More, many more, event log files. • New system for collecting and displaying events. • New security event numbering.
  • 3. Windows Event Logs Before Vista—Event Log. Vista to present—Windows Event • The big three: Log. – System. • The big three: – Security. – System. – Application. – Security. • Binary file, .evt. – Application. • WindowsSystem32config – Plus 100+ more event log files. – Binary/xml format—.evtx.* • Documented and well known. • C:WindowsSystem32winevt Logs • New, documentation growing. http://msdn.microsoft.com/en- http://msdn.microsoft.com/en- us/library/aa363652(v=VS.85).aspx us/library/aa385780(v=VS.85).aspx *http://computer.forensikblog.de/en/topics/windows/vista_event_log/
  • 4. Windows Event Logs C:WindowsSystem32winevtLogs
  • 5. Windows Event Logs What is an event log?
  • 6. Windows Event Logs An event log is more than its .evtx file. • The log displayed in the Event Viewer is a compilation of an .evtx file and components of one or more message DLLs. • The Registry links the .evtx to its message DLLs, which together create the complete event log presented by the Event Viewer. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceseventlog
  • 7. From *.evtx to Event Log Registry: HKLMSYSTEMControlSet001serviceseventlog *.evtx file MessageFile.dll Event Viewer
  • 8. Windows Event Logs • Impact on forensics? – Information in an event log often depends on message DLLs. – To get the message information, one must have the message DLLs available at the time the logs are- • Collected; or • Read. – Security events generally consistent within same versions of Windows (message DLLs the same). – Application logs pose the biggest risk of incompatible or missing message information—as message DLLs depend on the installed applications.
  • 9. Windows Event Logs • Solutions: – Collect logs live, before shutting down a system. • For Example: – >psloglist.exe -s -x Application > AppEvent.csv – >psloglist.exe -s -x System > SysEvent.csv – >psloglist.exe -s -x Security > SecEvent.csv – Rebuild registry references to message DLLs on the analysis workstation. • Generally, not necessary unless there are recorded events that are important and need to be resolved with their corresponding message DLLs.
  • 10. Windows Event Logs • Configuring the analyst workstation for reviewing event logs: – Identify the missing message DLLs. • Specified by the registry key for the component with the incomplete event record. – Copy message DLLs to analyst work station. – Add registry keys for component to specify location of the message DLLs.
  • 11. Windows Event Logs • Identify missing message DLLs. – Review system registry hive file of the system from which the event log file was taken.
  • 12. Windows Event Logs • Extract the message DLL(s) from the source system and copy to the analyst’s workstation. – New location or recreate original path.
  • 13. Windows Event Logs • Recreate the registry serviceseventlog key(s) and values on the analyst’s workstation so that they point to the copied message DLL(s). Include all original values. HKEY_LOCAL_MACHINESYSTEMControlSet001serviceseventlogApplicationCommunicator • The Event Viewer should now pull in the expected message DLL information when the event log is viewed.
  • 14. Windows Event Logs • Event logs in forensic examinations: – Rarely a primary source of information. • Noisy. • Significant events often only stand out when there are dates, times, or other items to bring focus to an event. – Security events are often not significant. • Dependent on the security audit settings. – Often evidence of compromise is found in the System and Application event logs or one of the new, narrowly focused logs. • System or application crashes. • Errors, warnings, information.
  • 15. Windows Event Logs Working with the Windows 7 Event Viewer
  • 19. Windows Event Logs Filtering is much improved in Windows 7. Filter the event logs to reduce the noise.
  • 20. Windows Event Logs • Start by selecting the event source, as this will populate the other choices.
  • 21. Windows Event Logs • Next, focus on Task categories—here, selecting logon and logoff.
  • 22. Windows Event Logs • Finally, Keywords, here selecting Audit Failure and Audit Success.
  • 23. Windows Event Logs The filtered view.
  • 24. Windows Event Logs And now, the event logs.
  • 25. Windows Event Logs • System Events. – Logged by Windows and Windows system services, and are classified as error, warning, or information. – Typical interesting events: • Time Change. • Startup and shutdown. • Services startup, shutdown, failures. • Startups should be logged, but crashes or errors could prevent logging of shutdown or termination events. http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer
  • 29. Windows Event Logs • Application events. – Program Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. – Typical interesting events would be those relating to programs that could be relevant to an investigation. • Application errors. – E.g., BackupExec agent attack. – Antivirus or malware detection events. • Combined with System events, Application events can show that symptoms of suspected intrusions or compromises could have been long standing system problems. – Note: application logging is controlled by the applications—so events are defined by the application developers. – Not all application generate events.
  • 32. Windows Event Logs • Security events. – These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. – Depend on audit policy. – Noisy. – Completely different Security event IDs from all versions before Vista. – General Tip: Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096. – There are a number of new security events. – Typical events of interest: • Account logon and logoff. • Failed logon attempts. • Account escalation. • Process execution.
  • 33. Windows Event Logs 9 audit categories.
  • 34. Windows Event Logs Clicking on an audit category can provide you with an explanation of what the category audits.
  • 37. Windows Event Logs http://support.microsoft.com/kb/977519
  • 38. Windows Event Logs Further Information: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx http://blogs.msdn.com/b/ericfitz/
  • 39. Windows Event Logs All those other logs.
  • 48. Windows Event Logs • Emphasis: Usually on Security Events, but other event logs may have more to offer. • Event log are not typically the primary evidence. – Often too noisy. • Best used when other facts fix times, or implicate specific accounts or computers. • Often, most useful in a timeline with other items of significance.