View
22
Download
0
Category
Preview:
Citation preview
SYSTEM EVENTS LOGS
OVERVIEW
• Important in timeline reconstruction• Event logs and application logs chronicle what happened
when• Not always in human readable format• IOC if missing or inconsistent
WINDOWS EVENT LOGS
• Older versions in binary format• Proper name is just ‘Event Log’• See evtparse.pl and evtrpt.pl from Carvey• Categorized by type• System• Security• Application
WINDOWS EVENT LOGS (CONT.)
• Stored in %systemroot%\system32\config• 5 Types or levels • Error• Warning• Information• Success Audit• Failure Audit
WINDOWS EVENT LOGS (CONT.)
• Starting with Vista/Server 2008 logs written in XML (EVTX format)• Additional properties added (i.e. Process ID, Thread ID,
Processor ID, Session ID)• New Channels for Setup and ForwardedEvents• New Event Viewer for filtering & exporting
WINDOWS EVENT LOGS(CONT.)
• Logs can be purged, rolled over, deleted• For worst case, recovery involved searching unallocated
space• Old style windows binary entries are preceded with ‘LfLe’
magic number• Using Microsoft’s logparser to query• Use wevtutil to convert old to new
RECYCLE BIN
• Can be disabled by volume• See registry key HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\BitBucket• Files moved to the Recycle Bin are named in accordance with KB
136517• Index file INFO2 keeps track of original name• To extract data from INFO2 see recbin.pl• Vista changed name format of deleted files• Folder named as the SID of the deleting user
PREFETCH FILES
• Performance feature of Windows• Available metadata for run count, when launched, associated
DLLs• Parse directory with pref.pl• Also PFDump.exe
WINDOWS SCHEDULED TASKS
• Created via GUI or via API• Also at.exe or schtasks.exe (can schedule remotely)• On <2003 tasks are in C:\Windows\Tasks• Stored in binary format• Win7 jobs are in \Windows\System32\Tasks in XML format• When collecting data in Live Response, use at.exe and
schtasks.exe to see ALL jobs
JUMP LISTS
• New to Win7• Think ‘Recent Docs’• System keeps track of recently used files by application• Stored in the user’s profile under AppData\Roaming\
Microsoft\Windows\Recent\AutomaticDestinations• Information is also stored in binary format• Documented by Microsoft• Use MiTeC Structured Storage Viewer
HIBERNATION FILES
• Contain a memory dump of the running system• Volatility can be used to analyze data• Varied amount of valuable information can be stored. (i.e.
keys for encrypted volumes)
APPLICATION LOGS
• Numerous installed applications maintain their own logs• AV Logs, Skype, Apple software,• Usefulness depends on the goal of the investigation• AV Logs• Skype – view main.db with Skype Log View• Apple software – may produce backup images of devices• Image METAdata in EXIF format
SUMMARY
• Information useful to a case can be found in may locations• Pick the right log or logs for the job• The list of applications is certainly not exhaustive• New applications will have new logs
Recommended