Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.

Mastering Windows Network Forensics and Investigation

Chapter 12: Windows Event Logs

Chapter Topics:

• Event Log Storage

• Using Event Viewer

• Efficient Event Log Parsing

Event Log Storage

• Stored in proprietary, binary format

• Not editable/viewable with standard text editor

• Files end in .evt or .evtx depending on Operating System

Event Log Storage

• Windows 2000/XP: .evt

• Windows Vista +: .evtx

• Files such as:– System.evtx– Application.evtx – Security.evtx

Event Log Storage

• EVT format event Logs stored in:

%SystemRoot%\System32\config folder along with the registry hive files

• EVTX format event Logs stored in:

%SystemRoot%\System32\winevt\Logs folder

Event Log Storage

• Application Log – Written to by any application

• System Log – Stores events related to system operation and maintenance

• Security Log – Security related events• Many other log files can be found

from Windows Vista and beyond, but these are ones of primary importance

Event Viewer

• Microsoft provided tool for reading .evt/.evtx files

• GUI based• Menus are context sensitive,

changing based on part of Event Viewer that is in focus

• Layout is different between Windows XP and Vista+

Event Viewer – Windows XP

Event Viewer – Windows XP

• Double clicking on a log entry brings up its properties, revealing the detailed description

Event Viewer – Windows Vista+

Event Viewer – Windows Vista+

• Double clicking on a log entry brings up its properties, revealing the detailed description

Event Log Parsing

• Learning to efficiently parse event logs is vital

• Focus on Event IDs, the numbers given to particular events that indicate what is being recorded

• Use the Filter feature to focus your search, and use Find to search within the filtered results

Event Log Parsing

• Filter can reduce your view based on event type, Event ID, date and time range, etc.

• Find can search within the Description field and will search forward or backward for the next occurrence of a particular string

Event Log Parsing

• If your analysis system is connected to the Internet, the built in Help and Support Center link on the Properties page of each Event entry will provide additional information about most Event Log entries and their meaning.

Event Log Parsing

• There are many (better?) log parsers that are available for low/no cost

• If there is a large volume of logs to review consider tools such as Splunk for initial processing