Chapter 8. Event Log Analysis
In this chapter, we will learn about Event Logs in the Microsoft operating system. We will discuss why it is important to cover issues related to event logs for successful investigation. We will consider differences between event logs depending on the MS Windows version.
Event Logs - an introduction
When an operating system works, a lot of events take place in the system. The range of these events is very large and a majority of them can be registered in the system. To register events on the system, there is a powerful mechanism called Event Logging. It presents a standard centralized way, which the operating system and applications use to record important information coming from software and hardware. An event can be something that occurred in the system or in some application, and it is necessary to notify the user. Information about every event should be recorded.
Events are collected and stored by the Event Logging Service. This keeps events from different sources in event logs. Event logs provide chronological information, which allows us to determie problems in the system environment and security and tracks users' activities and the usage of system resources. However, the kind of data that will be actually recorded in an event log is dependent on system...
Now that we've figured out that Windows event logs contain a lot of useful information and that they can be very valuable resources to detect security incidents, let's see where event logs can be found on different versions of MS Windows.
In the evolution of the MS Windows process, even the Event Logs system was changed. It originally appeared in MS Windows 3.1. Some minor changes occurred in every Windows version, but the names of event logs files and paths remained the same until Windows 2003. Initial versions used the .evt binary format. This format is not suitable to search for strings or to browse for information without special software. Also, these logs have size limitations in results; therefore, new upcoming events could rewrite old stored data.
Before Vista, the event logs were as follows:
%System root%\System32\config
However, starting from Vista and Server 2008, significant changes were implemented in the event logs structure, types, and locations on the filesystem...
When event logs are analyzed, the most common approach is to export logs and then review them on the forensics workstation. There are a few reasons for such an approach. Often, we need to analyze a few event logs (for example, System, Security, and Application) from several workstations and Domain Controller. So, it is very convenient to have all event log files in one place. Also, many forensics tools not enough good work with event logs.
There are two main approaches to export event logs:
Live systems
Offline systems
Both of them have their own set of features; let's see what they are.
While working with live systems, remember that event log files are always used, which creates some additional challenges. One way of exporting data from a live system is using Event Viewer. If you right-click on the event log file, the
Save All Events As...
option will appear. Logs can be saved in various formats, including
.evtx
, .csv
, .xml
, or .txt
. If you are concerned...
In this chapter, we have seen that event logs can be a useful source of evidence for forensic investigations. We examined the structure of event logs and looked at the features of event log systems for various Windows operating systems. We looked at some tools, which you can use to analyze event logs.
In the next chapter, we will look at some files with which the Windows OS works. These files are artifacts of Windows live, and they reflect what occurred in the system. We will learn to analyze prefetch, links, and jobs files.