Windows Forensics: (8- Event Logs Analysis)

Ahmed Belhadjadji
3 min readApr 11, 2023
Windows Forensics: Event Logs Analysis
Window Event Logs Forensics

We reached the eighth and final phase of Windows forensics process, all the 7 previous steps are mentioned below:

1- Gathering Volatile Information: link

2- Collecting Non-volatile Information: link

3- Memory Analysis: link

4- Registry Analysis: link

5- Cache, Cookies, and History Analysis: link

6.7- Windows Files and Metadata analysis: link

The Windows operating system logs all user activity on the system and can serve as a valuable source of evidence in a forensic investigation. By parsing these event log files, investigators can identify indicators of malware activity, external device connections, unauthorized data access or exfiltration, and more.

Definition

  • On any Windows system, event logs capture a range of everyday occurrences.
  • While some events are logged by default, others are subject to audit configurations stored in the PolAdEvt registry key.
  • Event log configuration are maintained in: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\<EventLog>
Event log Registry configuration
  • Log structure: header record(1), event records(*), end-of-file record(1)

Windows 10 Event Logs

Windows 10 store event logs in EVTX file format and are based on XML

wevtutil el

to list available event logs on the system

wevtutil gl <log_name>

to list configuration information about a specific event log

Evaluating Account Management Events

  • Used to record changes to accounts and group membership including: Creation, Deletion, Disabling of accounts, Modifying which accounts belong to which groups, Account lockouts, Account reactivations
  • When a system is compromised, attackers will often attempt to disable auditing (policy change > ‘4719’ event)
  • To locate the audit policies:
    secpol.msc > Local Policies > Audit Policy > Audit Policy Change

Event Logs

  • Windows event logs are stored in: C:\Windows\System32\winevt\Logs
  • Three main components of the Windows event logs are:
    - Application Log: It records the application-related events like VNC & RDP clients.
    - Security Log: It records logon/logoff, unauthorized, and security related activities.
    - System Log: It records events related to Windows system components such as device drivers and hardware changes, starting and stopping of services, etc.
  • Tools such Microsoft Log Parser and Event Log Explorer can help parsing event log
  • Use Filter and Find features in Event Viewer, under the Actions pane

Examining Removable Storage Using Event Viewer

  • Configure the Audit File System and Audit Removable Storage to enable auditing of all access requests from all removable storages
    secpol.msc > Advanced Policy Configurations > System Audit Policies > Object Accesses > Audit Removable Storage
  • Once enabled, search for event ID 4663 where Task Category is Removable Storage

I hope this was helpful, See you next time

--

--