Windows Forensics: (8- Event Logs Analysis)
We reached the eighth and final phase of Windows forensics process, all the 7 previous steps are mentioned below:
1- Gathering Volatile Information: link
2- Collecting Non-volatile Information: link
3- Memory Analysis: link
4- Registry Analysis: link
5- Cache, Cookies, and History Analysis: link
6.7- Windows Files and Metadata analysis: link
The Windows operating system logs all user activity on the system and can serve as a valuable source of evidence in a forensic investigation. By parsing these event log files, investigators can identify indicators of malware activity, external device connections, unauthorized data access or exfiltration, and more.
Definition
- On any Windows system, event logs capture a range of everyday occurrences.
- While some events are logged by default, others are subject to audit configurations stored in the PolAdEvt registry key.
- Event log configuration are maintained in: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\<EventLog>
- Log structure: header record(1), event records(*), end-of-file record(1)
Windows 10 Event Logs
Windows 10 store event logs in EVTX file format and are based on XML
wevtutil elto list available event logs on the system
wevtutil gl <log_name>to list configuration information about a specific event log
Evaluating Account Management Events
- Used to record changes to accounts and group membership including: Creation, Deletion, Disabling of accounts, Modifying which accounts belong to which groups, Account lockouts, Account reactivations
- When a system is compromised, attackers will often attempt to disable auditing (policy change > ‘4719’ event)
- To locate the audit policies:
secpol.msc > Local Policies > Audit Policy > Audit Policy Change
Event Logs
- Windows event logs are stored in: C:\Windows\System32\winevt\Logs
- Three main components of the Windows event logs are:
- Application Log: It records the application-related events like VNC & RDP clients.
- Security Log: It records logon/logoff, unauthorized, and security related activities.
- System Log: It records events related to Windows system components such as device drivers and hardware changes, starting and stopping of services, etc. - Tools such Microsoft Log Parser and Event Log Explorer can help parsing event log
- Use Filter and Find features in Event Viewer, under the Actions pane
Examining Removable Storage Using Event Viewer
- Configure the Audit File System and Audit Removable Storage to enable auditing of all access requests from all removable storages
secpol.msc > Advanced Policy Configurations > System Audit Policies > Object Accesses > Audit Removable Storage
- Once enabled, search for event ID 4663 where Task Category is Removable Storage
I hope this was helpful, See you next time