Windows Forensics: Event Logs Analysis
We reached the eighth and final phase of Windows forensics process, all the 7 previous steps are mentioned below:
1- Gathering Volatile Information: link
2- Collecting Non-volatile Information: link
3- Memory Analysis: link
4- Registry Analysis: link
5- Cache, Cookies, and History Analysis: link
6.7- Windows Files and Metadata analysis: link
The Windows operating system logs all user activity on the system and can serve as a valuable source of evidence in a forensic investigation. By parsing these event log files, investigators can identify indicators of malware activity, external device connections, unauthorized data access or exfiltration, and more.
- On any Windows system, event logs capture a range of everyday occurrences.
- While some events are logged by default, others are subject to audit configurations stored in the PolAdEvt registry key.
- Event log configuration are maintained in: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\<EventLog>
- Log structure: header record(1), event records(*), end-of-file record(1)
Windows 10 Event Logs
Windows 10 store event logs in EVTX file format and are based on XML
to list available event logs on the system
wevtutil gl <log_name>
to list configuration information about a specific event log
Evaluating Account Management Events
- Used to record changes to accounts and group membership including: Creation, Deletion, Disabling of accounts, Modifying which accounts belong to which groups, Account lockouts, Account reactivations
- When a system is compromised, attackers will often attempt to disable auditing (policy change > ‘4719’ event)
- To locate the audit policies:
secpol.msc > Local Policies > Audit Policy > Audit Policy Change
- Windows event logs are stored in: C:\Windows\System32\winevt\Logs
- Three main components of the Windows event logs are:
- Application Log: It records the application-related events like VNC & RDP clients.
- Security Log: It records logon/logoff, unauthorized, and security related activities.
- System Log: It records events related to Windows system components such as device drivers and hardware changes, starting and stopping of services, etc.
- Tools such Microsoft Log Parser and Event Log Explorer can help parsing event log
- Use Filter and Find features in Event Viewer, under the Actions pane
Examining Removable Storage Using Event Viewer
- Configure the Audit File System and Audit Removable Storage to enable auditing of all access requests from all removable storages
secpol.msc > Advanced Policy Configurations > System Audit Policies > Object Accesses > Audit Removable Storage
- Once enabled, search for event ID 4663 where Task Category is Removable Storage
I hope this was helpful, See you next time