Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

File Analysis Chapter 5 – Harlan Carvey

advertisement 
File Analysis
Chapter 5 – Harlan Carvey
Event Logs
File Metadata
Event Logs
Logging Events
•
•
•
•
•
Events
Logging Events
Event Log Format
Event Record Structure
Various Logs
Usual Event Logs
• Application
• Log of application errors, warnings and information
• Security
• Dropped Packets, Successful Connections
• Logon/Logoffs
• System
• Various device events
Registry References - XP
Windows 7
Location of logs
Event Log Location - XP
Event Log Location
Vista, Win7
• C:Windows->System32->winevt->Logs
Location of Event Logs
App & System Logging
• On by default
• Log size is 512 KB by default
• Written by the application
Security Logging - XP
• Not on by default
• Log size is 512 KB by default
• Control Panel Admin tools -> Local Security Policy
Security Logging
Windows 7
Log Viewer
• Event Viewer
• Control Panel -> Administrative Tools -> Event
Viewer
• Application, Security and System logs available
• Event Properties
• DTG of the event
• Important for some timelines
App Log
System Log
Security Log
Success
Security Log
Failure
Windows 7
Event Viewer
•
•
•
•
Convenient and pretty
Works only on live systems
Does not work on a forensics image
We have to parse the event logs
Event Logs
• Binary Structure
• Header and a series of records
• Event ID formats
• http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/e
vent.aspx?eventid=528
• Application logs are vendor specific
• EventID.net is a good source for this info - $$$
• blogs.msdn.com/ericfiz/default.aspx
• www.microsoft.com/technet/support/ee/ee_advanced.aspx
Event Log Configuration
XP
• Held in registry keys
Windows 7
Registry Viewer
• Event message
Event Log File Format
XP only
• Event Log Header – 12 DWORD values
• Event Records – Variable length
• Windows 7 & Vista
• http://www.dfrws.org/2007/proceedings/p65-schuster.pdf
• http://computer.forensikblog.de/files/talks/SANS_Summit_Vi
sta_Event_Log.pdf
Event Log Header Structure
Offset
Size
Description
0
4 bytes
Size of the record (Header = 0x30, Event = 0xF4)
4
4 bytes
Magic number 0x4C 66 4C 65 = LfLe
16
4 bytes
Offset within the .evt file of the oldest event record
20
4 bytes
Offset within the .evt file of the next event record to be written
24
4 bytes
ID of the next event record
28
4 bytes
ID of the oldest event record
32
4 bytes
Maximum size of the .evt file (from the registry)
40
4 bytes
Retention time of event records (from the registry)
44
4 bytes
Size of the record (repeat of the first DWORD)
Event Record Structure
Offset
Size
Description
0
4 bytes
Size of the record (Header = 0x30, Event = 0xF4)
4
4 bytes
Magic number 0x4C 66 4C 65 = LfLe
8
4 bytes
Record Number
12
4 bytes
Time Generated
16
4 bytes
Time written
20
4 bytes
Event ID – Locates message file/dll/exe
24
2 bytes
Event type (0x01 = error, 0x10 = Failure, 0x08 – Success, 0x04 = Info, 0x02 = Warning
26
2 bytes
Number of strings
28
2 bytes
Event category
30
2 bytes
Reserved flags
32
4 bytes
Closing record number
36
4 bytes
String offset
40
4 bytes
Length of user SSID
44
4 bytes
Offset to the user SID within this event record
48
4 bytes
Data length; length of the binary data associated with this event record
52
4 bytes
Offset to data
Carvey’s Help
• Best not to depend on the Window’s API to
read the Event files
• They can be corrupted
• May miss the next to be over written
• Provides summary stats
• Provides output readable in Excel
evtstats.exe
Lots of events
lsevt.exe
Entry for each of the 2464 Event Records
lsevt2.exe
Entry for each of the 2464 Event Records
Puts it into an Excel readable format
lsevt –f event_file –c > save_file.csv
Excel – Open .csv file
Change Format
Choose Delimited
Identify Separators
Harlan’s stuff is separated by
semicolons.
With Perl knowledge you
could change it.
Excel Manipulatible
Information
Other Logs
•
•
•
•
•
IE Browsing History
Set Up
XP Firewall
Recycle Bin
Shortcut Files
IE Browsing History
•
•
•
•
•
•
Index.dat files
DiscoverPro
NetAnalysis
Index dat spy
SuperWinSpy
Be careful !!!
NetAnalysis
Set Up Logs
•
•
•
•
Setuplog.txt
Setupact.log
SetupAPI.log
Netsetup.log
Setuplog.txt
C:\WINDOWS
Setupact.log
C:\WINDOWS
SetupAPI.log
C:\WINDOWS
NetSetup.log
c:\Winodws\Debug
Task Scheduler Log
SchedLgU.txt
Enabling Firewall Logging
• Control Panel -> Security Center ->
Windows Firewall -> Advanced
• Follow your nose
Firewall Log
• C:\WINDOWS\pfirewall.log
Recycle Bin
• C:\RECYCLER
• Each user gets his own folder
• Use the user’s SID
• Each has its own INFO2 file
Recycle Bin
recbin.exe
INFO2 File Structure
• Header
• 16 bytes
• Final 4 bytes (DWORD) is the size of each record
0x320 (little endian) = 800 bytes
• Records
• Record # at offset 264 within the record
• Drive designator at offset 268
2 = C:\, 3=D:\, etc
• File size in clusters at offset 280
Open INFO2 in WinHex
• Very hard
• File -> Open
•
•
•
•
•
•
•
Navigate to C:\RECYCLER
Open it
Select a SID file
Open it. It may say you don’t have privileges
Type \INFO2
Try again!
Maybe
INFO2 Record Size
Record size
0x00320 = 80010
Size in clusters
0x0001
Drive indicator
0x0002
File Metadata
MAC Times
OS - OS
Action
From
To
Create time
Modification time
FAT to FAT
Copy
C:\
C:\
Updated
Unchanged
FAT to FAT
Move
C:\
C:\
Unchanged
Unchanged
FAT to NTFS
Copy
Updated
Unchanged
FAT to NTFS
Move
Unchanged
Unchanged
NTFS to NTFS
Copy
C:\
C:\
Updated
Unchanged
NTFS to NTFS
Move
C:\
C:\
Unchanged
Unchanged
Word Documents
•
•
•
•
•
•
Document location
Statistics
Magic number
Version and Language
Last 10 authors
MACPS times
Modified, accessed, created, printed, saved
MeargeStreams
•
•
•
•
Insert a spreadsheet into a word document
Call it .doc – you see the Word document
Call it .xls – you see the spreadsheet
All sorts of uses
• Smuggling out forecasts
• Sharing pictures on the corporate server
PDF Files
• Similar metadata as Word docs.
• Easily accessed
• File -> Properties
Image Files
exif Data
Original Photo
off of the camera
After Photoshop
manipulation
Tweet Metadata
ADS – Alternative Data Streams
• Native to NTFS
• Permits data file to contain scripts, or
executable code
• No NT native tools to detect them
• Native tools to create and launch them
Related documents
- Communispond
- Communispond
Development Environment C Toolchain
Development Environment C Toolchain
Database Storage Requirements
Database Storage Requirements
9.1.Link_Files
9.1.Link_Files
PPT - Bro
PPT - Bro
Fragmentation and IP Forwarding
Fragmentation and IP Forwarding
shift-based pattern matching for compressed traffic
shift-based pattern matching for compressed traffic
Image File
Image File
Presentation
Presentation
Download
advertisement