PUCIT:404 Computer Forensics
A. Gyasi-Agyei
Lecture 6: Windows Forensics II
2
Aim of lecture
This lecture presents the various log files that a
forensic investigator can study to find on a computer
under investigation
– the possibility of occurrence of activities
– What type of activities if any has occurred
A logfile (or simply log) is a file that records either the
events which happen while an operating system or
other software runs, or the personal messages
between different users of a communication software.
The act of keeping a logfile is called logging. In the
simplest case, log messages are written to a single log
file.
2
3
Lecture Objectives
1.
Understanding event logs
2.
Understanding other audit events
3.
Understanding forensic analysis of event
logs
4.
Understanding Windows password issues
5.
Describe some popular Windows forensic
analysis tools
4
What is audit trail?
Computer forensics involves audit trail of
systems investigated
An audit trail (also called audit log) is a
security-relevant chronological record, set
of records, and/or destination and source
of records that provide documentary
evidence of the sequence of activities that
have affected at any time a specific
operation, procedure, or event.
4
5
What are events?
Any occurrence that the operating system
(OS) or a program wants to keep track of or
alert the user about
Examples of events are:
– User logging onto a computer
– User logging off a computer
The OS logs each event
Methods of logging events by the OS:
– Some events are logged automatically by default
– Other events are logged based on the audit
configuration in PolAdEvt registry key
5
6
Event Logs?
Event logs are special files that record
significant events on a computer, such as:
– when a user logs onto the computer
– when a program crashes
– When a program starts
The operating system records a ‘special’
event in an event log that can be read
using Event Viewer
Details in event logs can be helpful when
troubleshooting problems with operating
systems and other programs
6
7
Examples of Windows Event Logs
Application (program) events
Setup events
Forwarded events
Security-related events
System events
Domain Controllers events
– File Replication event logs
– Directory Service event logs
Domain Name Servers event logs
– DNS event logs
7
8
Application (program) event logs
Depending on the severity, application
(program) events are classified as
– Error
– Warning
– information, of the event
An error event is a significant problem, such
as loss of data.
A warning event is an event that is not
necessarily significant, but might indicate a
possible future problem.
An information event describes the
successful operation of a program, driver, or
service
8
9
System events log
System events are logged by Windows and
Windows system services
Like application events, they are classified
as error, warning, or information
9
10
Setup event logs
A domain is a Windows concept through
which a user may be granted access to a
number of computer resources using the
same username and password
combination.
On Microsoft Servers, a domain controller
(DC) is a server that responds to security
authentication requests (logging in,
checking permissions, etc.)
Computers that are configured as domain
controllers will have additional logs
displayed here
10
11
Forwarded events log
The forwarded events log contain events
sent or forwarded from other .computers
11
12
Security-related events log
Security-related events are called audits
They are described as successful or failed
depending on the event, such as whether a
user trying to log on to Windows was
successful or not
Example: when you mistype your login
password the system denies access to it.
Such a denial triggers an security-related
event which is logged.
12
13
DNS Event Logs
13
14
Domain Controller event logs
Domain controllers have these logs
 File Replication event logs
 Directory Service event logs
14
15
Event Viewer
We said earlier that events logged by the
operating system can be viewed on
Windows using Event Viewer.
How do we access the Windows Event
Viewer?
15
16
Accessing Windows 7 Event Viewer
• Click on Windows Start button
• Click Control Panel
• Click System and Security
• Administrative Tools
• Double-click Event Viewer
• Double-click Windows/Events Logs
To view the details of an event double click it
16
17
Windows 7 Event Viewer
17
18
Event log format
Windows event log is stored in binary
format with distinct, recognizable features
that can help investigator to recognize and
interpret event log files or event records on
a system, either in files or located in
unallocated space.
Each event log comprises:
– Header section
– Series of records
The event log is kept in a circular buffer to
allow getting rid of records of older events
as new ones are added.
18
19
Structure of event log header
Basic features of the event log header:
– The first 48 bytes of a valid event log file
– Consists of 12 distinct DWORD values
Event record structure (see Page 5-3 of
CHFI Book)
– Basic size of header is 56 bytes
19
20
An application program event log
20
21
IIS Logs
Microsoft Internet Information Services
Server (IIS), formerly Internet Information
Server, is a popular Web server platform
A best way to uncover attempts to
compromise an IIS or to view the details of
a successful exploit is to examine the
directory %WinDir%\System32\LogFiles
A scripting language can be used to open
files in each subfolder and searched during
investigations
21
22
Virtual Servers in IIS
1. Open Windows explorer
2. In the address bar type
%WinDir%\System32\LogFiles
1. Click <enter>
22
23
How to activate IIS
Before that you have to enable the IIS for
windows by
start
Control panel
programs
Turn windows feature on / off
Check the IIS services (4th and 5th
checkbox)
ok
restart the system
23
24
Parsing Windows Firewall Logs
When logging is enabled, windows firewall
logs are kept in the folder
%SystemRoot%\pfirewall.log
Data is stored in the file objects.data which
is located in
C:\Windows\System32\wbem\Repository\
When the Windows Firewall log is open in a
text editor we can see the header at the top.
This header describes
– The software, version, time format, and other
fields
24
25
Tasks
Study the header of the basic event log of
the operating system on your
laptop/computer. Note the type of OS.
Analyze the log files of:
– DHCP Server
– Windows firewall
25
26
What is account auditing?
Whenever you are connected to the Internet, you
are at risk. Anyone can try to access your system
and if enhanced security is not implemented, then
the hacker can steal your confidential data
Account Auditing lets you see who may be trying
to break into your account.
If you have enabled the Account Auditing settings
then such type of events are logged in the system
and you can view these log files any time to see if
someone is accessing your system or not.
Account Auditing lets you see who may be trying
to break into your account.
26
27
Examining auditing-policy change
events
Attackers to a system often attempt to
disable auditing
Modifications to the audit policy are recorded
as event ID 612
A computer forensics investigator can deduce
what changes have been made by looking at
event ID 612 entries and comparing the old
and new policies
As the audit policy of a domain controller has
precedence over local audit policy on
individual computers, attackers have a
difficult task in completely disabling auditing
27
28
How do we enable Account Auditing
Settings?
Click on Start Windows and type secpol.msc
Hit
Enter
Local Security Policy window opens
Navigate to:
Local Policies  Audit Policy
Right click on:
Audit account logon events policy
Choose Properties
28
29
29
30
Examining system log entries
The system event log records events
relating to system behaviour, e.g.
–
–
–
–
Operating system changes
Hardware configuration changes
Starting and stopping of services
Installation of device drivers
The Service Control Manager sends a
message with event ID 7035 to the System
event log whenever a service is stopped
30
31
Examining application log entries
Application event log contains messages from both
operating system and various programs, e.g.
– Desktop application programs like MS Word
– Antivirus and security software, including
scanning activities and discovery of malware
Users can use Microsoft program called logevent.exe
to send customized messages
Virtual Network Computing (VNC) and Windows
Remote Desktop allow remote connections. VNC
application records connections to the VNC server
including source IP and port number in the
application log
31
32
Windows Event Log File Internals
Windows event log files are essentially
dbases with the records related to the
– System  SysEvent.evt
– Security  SecEvent.evt
– Applications  AppEvent.evt
These event file types are stored in the
folder %SystemRoot%\system32\config
NOTE: EVT is a file extension for log files
used by Windows Event Viewer
32
33
What is Windows Event Log Parser?
Log parser is a powerful, versatile tool that
provides universal query access to textbased data such as
– log files, XML files and CSV files
As well as key data sources on the
Windows® operating system such as the
– Event Log,
– the Registry,
– the file system, and
– Active Directory®
33
34
Popular Windows forensic analysis
tools: Word Extractor
Word Extractor is a hacking tool that
extracts human-understandable words
from binary computer files
– Binary files  human-understandable words
A hacker can use this tool to attempt to
find hidden text or passwords in a file
Features of word extractor:
– Supports drag and drop and text warping
– Saves results as text or RTF files
– Replaces nonhuman words with spaces or dots
for better visibility
34