Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Epidemiology

An Analysis of Microsoft Event Logs

AN ANALYSIS OF MICROSOFT EVENT LOGS
by
Michelle D. Mullinix
A Capstone Project Submitted to the Faculty of
Utica College
December 2013
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Cybersecurity
© Copyright 2013 by Michelle D. Mullinix
All Rights Reserved
ii
Abstract
Microsoft Windows event logs are central to conducting an investigation when determining
whether or not a virus has been installed on a targeted system. However, there was very little
substantial research about Windows event logs and how they are used in conducting an
investigation. This research explores forensic artifacts recovered during an investigation to
determine whether virus activity may be involved. The research describes the relevance of the
event logs and discusses various techniques used for investigators to collect and examine the
logs. Three viruses, Fizzer, Zeus, and MyDoom were installed and run in virtual machines to
determine what events will populate in the logs. This research also explains best practices
regarding the use of Windows event logs in an investigation. Keywords: Cybersecurity,
Professor Christopher Riddell, Professor Cynthia Gonnella, Security, Application, System,
Malware.
iii
Acknowledgments
I would like to thank my family for their support by allowing me the time to lock myself away
with this research and throughout the courses for both my Bachelors of Science and my Master
of Science in Cybersecurity. I especially would like to thank Tyrone Mullinix, my best friend
and husband for not letting me quit at the times that I was frustrated, disillusioned and exhausted
due to such heavy academic and life loads. I would also like to thank Cynthia Gonnella, Vern
McCandlish and Craig Nelson for being my 1st Chair, my 2nd reader and a 3rd Subject Matter
Expert, respectively. Finally, I would like to thank Mark Low, my editor and most importantly,
Utica College for having such an outstanding degree program in Cybersecurity.
iv
Table of Contents
List of Illustrative Materials........................................................................................................... vi
An Analysis of Microsoft Event Logs ............................................................................................ 1
Literature Review............................................................................................................................ 9
Methodology ................................................................................................................................. 14
Key Event IDs ........................................................................................................................... 18
Selected Viruses for Infection ................................................................................................... 20
Fizzer. .................................................................................................................................... 21
Zeus. ...................................................................................................................................... 21
MyDoom. ............................................................................................................................... 22
Processing a Compromised Machine ........................................................................................ 22
Setting up WINSNORT ............................................................................................................ 35
Whitelists and Blacklists ........................................................................................................... 40
Discussion of Findings .................................................................................................................. 41
Future Research Recommendations .............................................................................................. 48
Appendix ....................................................................................................................................... 54
References ..................................................................................................................................... 56
v
List of Illustrative Materials
Table 1. Windows OS Release Years ............................................................................................ 1
Figure 1. Application and Services Logs ........................................................................................ 7
Figure 2. Event Viewer Prototypes ............................................................................................... 17
Figure 3. Temporary Internet File Locations. ............................................................................... 24
Figure 4. Registry File Tree .......................................................................................................... 25
Figure 5. RunRedLine batch file ................................................................................................... 26
Figure 6. Application Log Event ID 1000 .................................................................................... 29
Figure 7. Zeus Trojan Installation. ................................................................................................ 30
Figure 8. Fizzer Virus Installation. ............................................................................................... 31
Figure 9. Windows Server 2008 x 64’s ........................................................................................ 32
Figure 10. Event Log Viewer after Fizzer installation. ................................................................ 33
Figure 11. Avast virus scan results. .............................................................................................. 34
Figure 12. McAfee blocking the Fizzer virus ............................................................................... 35
Figure 13. Final execution of Snort .............................................................................................. 37
Figure 14. Setup of the IIS Manager in Windows. ....................................................................... 38
Figure 15. Installation of Snort as a Service. ................................................................................ 39
Figure 16. Barnyard2 after reboot ................................................................................................. 40
vi
An Analysis of Microsoft Event Logs
The purpose of this research was to analyze Microsoft Windows event logs for artifacts
that may be pertinent to an investigation. How are investigators using Windows event logs in
forensic investigations? How do investigators approach the various types of breaches when
collecting data from Windows event logs? What are the best practices to analyze Windows event
logs?
The world of Digital Forensics is expanding each day. There are many OSs available for
use by professionals and casual users to choose from. In 2013 the three main OSs in use on nontablet computers are Windows, Linux and Mac OS. This research focuses on the Windows OS.
The first version of Windows was Windows 1.0 which was released in 1985 (Microsoft,
2013). Since that time, there have been 8 major new Windows releases. Table 1 lists Windows
OS and their release dates.
Table 1
Windows OS Release Years
Windows 1.0
Windows 2.0
Windows 3.0
Windows 95
Windows 98
Windows XP
Windows Vista
Windows 7
1985
1987
1990
1995
1998
2001
2006
2009
Windows 8
2012
Note. This table illustrates the various Window OS and when they were released by Microsoft.
Mark Hackman (2013), a staff writer for PC World, reports that according to Net
Applications’ NetMarketshare tracker in June 2013, about 44.37% of computers are using
Windows 7 and another 5.1% are using Windows 8. The newest Windows OS update, Windows
1
8.1, was released to manufacturers on August 27, 2013 (Endler, 2013). Most businesses and
home users choose Windows based systems over Macs due to the lower operational and training
costs (Menga, 2008). These statistics indicate that over half of the computers currently used are
Windows based systems. The amount of Windows based systems in use by businesses and home
users gives criminals a broader range of computers to break into for any type of data theft.
Home users typically do not keep their systems as secure as they should (Byrne, Howe,
Ray, Roberts, & Urbanska, 2012). Programmers often design computer hacking techniques
called "hacks" to test certain scenarios. Regardless of the purpose they were designed, organized
cyber criminals who are computer savvy often employ these hacks for nefarious purposes. The
criminals either buy a hack from the author or they find it on a hacking website (Jordan, 1998).
Cyber criminals will break into home user systems in order to build a network to attack a
corporate or government target (Wash, 2010). This intrusion and victimization of another's
computer is called a Botnet.
The number of Windows event logs has grown over the years. For instance, prior to
Windows Vista, there were only three main logs in the event viewer, System, Security and
Application. Today there are application specific logs and service logs as well in the main event
viewer. There are an additional 100 plus log files, but this research focused on the main three,
System, Security and Application.
Windows event logs are used to help correlate and prove that certain actions occurred at
certain times and by specific individuals, groups or IP addresses. For instance, Windows Security
event logs can be analyzed to help determine how many failed logon attempts occurred in a
particular time period. It can also be used to identify who logged in by examining the Event ID
4624 (Smith, 2013). Cyber attackers use event logs nefariously to determine what is running on a
2
targeted network so they can take advantage of known threats that have not been patched
(Stuttard, 2008). This research discusses the importance of specific logs when providing facts to
an investigator.
When discussing how event logs will be used during an investigation, it is important to
differentiate between the various types of analysis and forensic practices. Different logs and
methods of collection are necessary depending on the type of investigation or attack defense.
Investigators will perform either a traditional or live analysis of the data stored within a
computer or on a network. The purpose for the collection of the targeted data usually dictates
which type of analysis should be performed. Today, it is expected to be a hybrid of both because
some important computer processes and data are stored in volatile memory, such as RAM. RAM
requires continuous power and will fade away as soon as the system is shutdown. Therefore, it
cannot be collected once systems are shut down (Cummings, 2008).
There are three main types of analysis, traditional, live, and network. Traditional, or
dead-box analysis, includes shutting down the computer and removing the hard drive or other
media from the computer for analysis with another machine (Amari, 2009). Live analysis refers
to the capturing of data while the computer is still running. A live analysis targets data on the
hard drives and attached media, artifacts of the operating system (OS), processes and data stored
in volatile memory, and network traffic coming in or going out of the computer (Amari, 2009).
Investigators often concentrate on the type of data stored in RAM. Since RAM memory is
volatile and must be analyzed or captured while the machine is operating, a live analysis is
required. RAM is where processes run and significant data that is not stored elsewhere may be
collected.
Memory forensics is the analysis of RAM that stores data while a machine is running
3
(Amari, 2009). RAM can be collected using tools such as a Tribble Card, a hardware based tool
(Carrier, 2004). Another memory collection method is to use software tools such as Memdump,
built into the Windows OS or another trusted tool; for example KnTTools (GMG Systems Inc,
2007). KnTTools is one of two winners at the Digital Forensics Research Workshop (DFRWS)
2005 Forensic Challenge (Garner & Mora, 2005). Once the RAM data has been collected, it can
be saved and analyzed later.
The last type of analysis, network forensics, is a specific network analysis after security
attacks or other cybercrime has occurred (Janssen, Cory, 2013). Today’s technology has
decreased the RAM requirements to run the OS. However, it has also increased the amount of
RAM that Windows OS is capable of using on a computer system (Microsoft, 2013). This gives
the computer operator the ability to run more applications at the same time for increased
productivity. It also increases the size of the collected RAM file. These are considerations that
investigators must consider to ensure that enough time and storage capacity are provided to
collect the RAM.
Another important consideration for today's investigators are the various types of devices
they will encounter and the specialized equipment or skills required to collect data. Technology
has advanced so much that people carry small computers with them daily; some in the form of
smartphones. PC Magazine describes smartphones as a cellular telephone with built-in
applications and Internet access (PCMagazine, 2013). The Nielsen Company survey of the 3rd
Quarter of 2012 showed that 50% of mobile subscribers owned smartphones (Nielsen Ratings,
2012).
Yet another aspect of the evolution of computer analysis is the availability of the Internet
to support a cyber-attack. With the small computers carried on person, and the widespread
4
availability of connections to networks and Internet, criminals are finding even more creative
ways to facilitate crimes involving electronic means. Wireless access points are available almost
everywhere in populated areas offered by businesses such as Starbucks and Barnes and Noble.
According to the study, “Global Developments in Public WiFi” there will be 5.8 million hotspots
globally by 2015 (Wireless Broadband Alliance, 2011, p. 5). In 2012, a study by Pew Research
found that 77% of home users have at least one desktop or laptop, 44% own a smartphone, and
18% own a Tablet (Christian, Mitchell, & Rosenstiel, 2012). People use computers to help make
their lives easier and to complete repetitive tasks faster.
Cyber Intruders and their targets are in a constant state where the targets are resigned to
attacks and the intruders are able to exploit and disrupt networks without suffering the
consequences (Endicott-Popovsky, 2007). Many banks that once used Unix Systems, have
updated to Windows based systems and servers to store account balances and transactions along
with millions of personally identifiable information (PII) on their customers (Narter & Greer,
2012). With some banks making a change from a UNIX core to a Windows core, it is crucial that
the event logs are closely monitored for signs of attacks. In 2009, Microsoft and Temenos
partnered to establish a new Core banking system (Conz, 2009). They merged Microsoft's
operating platform software and the .NET architecture to produce the same functionality and
scalability of similar mainframe and UNIX based systems.
In a personal communication, C. A. Nelson, a leading Digital Forensic Investigator for
Microsoft stated, “The rationale for forensics is grounded on a spectrum of problems, some of
which face the consumer such as malware, abuse, piracy, botnets, ID theft or spying”. Forensic
Investigators use many tools to trace attacks by unskilled hacker criminals who use scripts
created by professional hackers for the thrill of it. These script scavengers are often referred to as
5
Script Kiddies (Techopedia, 2013).
There have been many reports in the news about various hacking incidents. As an AP
Reporter, Tom Krisher, reported in September 2013, hackers now have the ability to break into
the computers on a car. In one demonstration, it was proven that a hacker can slam the brakes on
a car that is moving and they can shut down the engine (Krisher, 2013). The U.S. Department of
Energy suffered a data breach that allowed hackers to steal 53,000 current and past employee’s
PII including their Social Security Number (SSN), Name and Date of Birth (DOB) (Schwartz,
2013). In Pierce County, Washington, individuals qualified for Section 8 housing, but on the
waiting list, had hundreds of their SSNs displayed due to human error (Greenberg, Adam, 2013).
Collecting thousands of PII records allows criminals to steal the identity of these victims. Krisher
went on to report that no victims have reported an issue with the compromise of their personal
information (Krisher, 2013). Many of these types of attacks may be detected or investigated
through the use of event log monitoring and alert functions.
Some of the primary event logs are Application, Security and System. In addition to
several others, Forwarded Events and Setup under the Windows log file allow for the monitoring
of remote event logs and alerting of events of interest. There are other logs in the Applications
and Services folder including Hardware Events, and Media Center (See Figure 1). To set up the
Operational Log, the system administrator, after selecting the Properties, can enable and adjust
the size of the log and how often it is updated or cleared. If the computer is not on a corporate
network, the individual owner of the system can setup these logs.
6
Figure 1. Application and Services Logs Screenshot of the Windows event logs as displayed in the Event Viewer in Windows 8.
One way event logs can be helpful during an investigation is to search for certain artifacts
that will help identify the source of an attack. The IP address is an important key when trying to
locate a specific individual or group. This is one of the reasons various event logs are so
important for the collaboration and confirmation of other hard data found on the system or
network. IP Addresses by themselves cannot be filtered using the event log as the filtering
mechanism. However, a specific IP can be found by using Microsoft’s Power Shell GetNetIPAddress Cmdlet (Microsoft, 2012). Another way to get IP addresses would be to create a
custom view and use the XML tab to write the query (PaperCut, 2013).
One case where IP addresses were a key point in the investigation is the APT1 unit Cyber
Espionage attack. Mandiant, one of the leading security companies, released a report concerning
one of the Cyber Espionage units in China (Mandiant, 2013). Mandiant named the unit “APT1”.
7
An Advanced Persistent Threat (APT) has become the most common attack on enterprise level
network systems. APT attacks are usually carried out by well-funded and educated Nation States
such as China, or other criminal groups conducting cyber espionage (Cloppert, 2009). Mandiant
responded to 150 victims in seven years that APT1 had stolen vast amounts of data from
(Mandiant, 2013, p. 2).
Mandiant's report discovered several key findings. One finding is that APT1 is believed
to be the 2nd Bureau of the People’s Liberation Army (PLA). The unit designator is "Unit
61398". The PLA is specifically looking to “compromise organizations in a broad range of
industries in English speaking countries” (Mandiant, 2013, p. 4). Mandiant found that there were
614 distinct routable IP addresses registered in China where these attacks originated. Mandiant
revealed three of the personas that were used by these attackers. One is “UglyGorilla”, who has
registered domains that were attributed to APT1 (Mandiant, 2013, p. 5). There is also evidence
that this unit recruits new talent from the Science and Engineering departments of China’s
universities (Mandiant, 2013, p. 11). APTs tend to target specific organizations to steal specific
data or cause specific damage (Cloppert, 2009).
Another way event logs can help identify when these types of attacks are happening is by
identifying an increase in elevated login’s late at night (Grimes, 2012). This research paper will
analyze several Windows event logs for artifacts that can assist investigators in halting an attack
or catching an insider threat. Throughout the research, various examples of breaches that might
require a forensic examination are identified. Examples of how investigators use the information
found in various event logs during the course of their investigation are discussed, in addition to
best practices for analyzing the logs to allow the investigators to use a particular event or use a
more holistic approach, based on the breach or threat. Finally, the research suggests and
8
identifies techniques for parsing log data more efficiently. These tools and practices will assist
new or seasoned investigators in their approach to using event logs more efficiently to recognize,
deter, and investigate network incidents.
Literature Review
According to James P. Anderson Company in a report titled “Computer Security Threat
Monitoring and Surveillance” a clandestine user is possibly the most difficult to detect by normal
audit trail methods. This shows that event logs were used in various network analysis before
being used by digital forensic investigators for investigative purposes. The summary of this
particular report states the need to augment the log collections to assist the security personnel at
any corporation (Anderson, Computer Security Threat Monitoring and Surveillance (Vol. 17),
1980). The Computer Security Technology Planning Study that was conducted in 1972 for the
U.S. Air Force was requested because of a need to secure both classified and unclassified
networks. At that time, the security of computer systems was an add-on after OS development
(Anderson, Computer Security Technology Planning Study, 1972).
In the 1980’s, computers became more affordable for average consumers and businesses
and law enforcement realized they had a new crime class, computer crime (Bem, Feld, Huebner,
& Bem, 2008, p. 44). In the National Institute of Justice, Issues and Practices, “Organizing for
Computer Crime Investigation and Prosecution”, computer related crime was defined to help law
enforcement and prosecutors establish better guidelines.
Computer-related crime, defined to be any illegal act that requires the knowledge of
computer technology for its perpetration, investigation, or prosecution, is used to capture
the broad range of offenses that investigators and prosecutors have been required to
handle. (Conly, 1989, p. 6)
9
This report contained several site studies for various police departments. According to
one site study, the police agency began using a departmental modem in 1981 and found that
electronic bulletin boards were being used to share illegal information among some of the board
users. Another study found that while most of the cases involved juveniles, one case involved a
disgruntled employee who stole proprietary data from the company he was leaving (Conly, 1989,
p. 17). The “Computer Crime Investigation and Prosecution” report is a very thorough document
that also discusses the challenges of collecting computer related evidence from these “file
cabinets” requiring training and expertise (Conly, 1989).
The 18 United States Code (USC) Section 1029: The Access Device Statute “defines and
establishes penalties for fraud and illegal activity that can take place by the use of such
counterfeit access” (Harris, Harper, Eagle, & Ness, 2008, p. 19). This USC section refers to
passwords, credit card numbers, phones and PINs which are identified as the credential and the
device (Division of Homeland Security and Emergency Services, 2013). This law was used when
charges were brought against an alleged criminal that accessed credit card information from a
retail sales agency by breaking into their network and stealing this information for nefarious use.
The US Department of Justice, brought charges against three people who had hacked into eleven
cash registers for Dave & Busters and then sold the information to others who made fraudulent
purchases (Depatment of Justice, 2008). At least one of the people in this case, Albert “Segvec”
Gonzalez, was also indicted in another case in 2008 that involved eleven perpetrators
(Department of Justice, 2008). This case was unsealed in 2010 and was reported by CBS News
(CBS News, 2010). In March of 2010, Albert Gonzalez was sentenced to 20 years in prison for
these identity theft charges (Feeley & Van Voris, 2010).
The United States Army requires, according to Army Regulation 25-2, that Audit Logs
10
are examined once a week by System Administrators (United States Army, 2009). The Army
requires that these audit logs are maintained for ninety days (United States Army, 2009, p. 32).
Caroline Allinson, a former member of the Queensland Police, stated:
The audit is now a process where a record is maintained of a particular series of events in
order to provide evidence in the case of a dispute, to ensure compliance with certain rules
and regulations, to check on the effectiveness of control systems, and to provide evidence
in the case of criminal activity. (Allinson, 2001, p. 410)
Microsoft states “event logs record events that happen on the computer. Examining the
events in these logs can help you trace activity, respond to events, and keep your systems secure”
(Microsoft, 2013). Harlan Carvey describes event logs as “files within the file system” (Carvey,
2009). Event logs can be changed by configuring what events are being audited and how they are
configured on the targeted system (Carvey, 2009). Steve Anson and Steve Bunting, the authors
of a book called Mastering Windows Network Forensics and Investigations, the authors inserted
a note on page 327about the convenience of the config folder. Anson & Bunting stated the
registry hive files and the event log files are both located in the system32/config folder. By
collecting and analyzing this folder while waiting on the official report, the investigator can keep
the network examination moving (Anson & Bunting, 2007).
Computer forensic investigators should be looking at two different types of audits when
investigating for a corporation (Brown, 2006). The first set is the logs collected before the
current investigation and the second is the information system audits conducted during the
current investigation (Brown, 2006). Brown recommends that computer forensic investigators
read and understand the IS Standards, Guidelines and Procedures for Auditing and Control
Professionals (ISACA). ISACA provides a guideline for specific auditing procedures in three of
11
eight areas including, IS Risk Assessment, Digital Signatures and Desktop Support Policies
(Brown, 2006, pp. 71-72). ISACA has also published a performance guideline that describes
what constitutes Audit Evidence (ISACA, IT Audit Assurance Guidance, 2010, pp. 22-23).
Audited events are written to the three primary log files: Application, System and
Security (Anson & Bunting, 2007). Anson and Bunting go on to write “Application logs provide
a space where any application that wants to use the Windows APIs can note significant events to
that application” (Anson & Bunting, 2007, p. 327). One application is Internet Explorer, used to
access the Internet from any computer with various OSs (Microsoft, 2007). In United States vs.
Milton Scott Pruitt, Mr. Pruitt was convicted of accessing child pornography on his work
computer (United States v. Milton Scott Pruitt, 2011). Mr. Pruitt had been a police officer at the
time he committed the crimes.
In 2007, Milton Scott Pruitt ("Defendant"), a deputy sheriff in the Forsyth County
Sheriff's Department, used his work computer to access and view child-pornography
images. Instead of saving the images directly to his work computer, Defendant used his
computer to access the images remotely: the images remained stored electronically on the
County's network server. The images resided in computer folders assigned to the sole
Forsyth County detective in charge of investigating computer crimes, including childpornography cases; and some of the files were identified, in part, by the letters "CP," an
abbreviation the County used for "child pornography." Defendant had no work-related
purpose for accessing the images. (United States v. Milton Scott Pruitt, 2011, p. 2)
U.S. v. Pruitt goes on to show that the investigator located the temporary Internet files in
Mr. Pruitt’s home computer’s cache (United States v. Milton Scott Pruitt, 2011, p. 3). Mr. Pruitt
did access his computer from work remotely and what brought his case to light was the increased
12
network use after the normal work day has ended (United States v. Milton Scott Pruitt, 2011, p.
1). Mr. Pruitt did not actively download any of the child porn; he simply viewed it (United States
v. Milton Scott Pruitt, 2011, p. 6). “The ordinary meaning of 'receive' is to knowingly accept; to
take possession or delivery of; or to take in through the mind or senses" (United States v. Milton
Scott Pruitt, 2011, p. 7). 18th U.S.C. describes “knowingly receives” when he “intentionally
views” child pornography (United States v. Milton Scott Pruitt, 2011, p. 7). Based on this
information, Mr. Pruitt’s conviction was affirmed (United States v. Milton Scott Pruitt, 2011, p.
9).
Application analysis helps to establish a picture when viewed as a whole (U.S.
Department of Justice, 2004). “Analysis of logs generated by network services, a firewall or a
web server fall under Application Analysis” (Carrier, 2003, p. 7). Network Administrators can
inadvertently clear the application log files by clearing the Microsoft Directory Synchronization
logs in Windows Server 2003 according to Article ID 906516 on the Support.Microsoft.com
website (Microsoft, 2013).
The National Security Agency (NSA) published a report called Spotting the Adversary
with Windows Event Log Monitoring (National Security Agency, 2013). This report recommends
certain Windows events that would show a machine may have been compromised. Some of these
events are 1000-1004 and 4097 (National Security Agency, 2013, pp. 29-30). All of these events
will populate in the Application Log.
Microsoft made an important announcement on November 14, 2013 in the battle against
organized crime. They announced a new Cybercrime Center in Redmond, WA. According to
Moreno, “The Cybercrime Center maps, tracks and traces organized crime groups. A major part
of the effort is to disrupt botnets, which are networks of hacked computers used to defraud
13
people and financial institutions.” (Moreno, 2013, p. 1). Microsoft is using their resources to
track organized crime and the malware that makes use of botnets, confirming that big business is
taking APTs seriously.
This research analyzed several Windows event logs for artifacts that can assist
investigators in halting an attack or identifying an insider threat. As demonstration models,
examples were provided of various breaches that might require a forensic examination.
Examples were also provided of how investigators use the information found in various event
logs during the course of their investigation. In addition, best practices for analyzing the logs
based on the breach or threat were discussed. Finally, the research suggested and identified
techniques for efficiently parsing log data.
Methodology
In the interest of time, the research was conducted on three VMs that were loaded on a
Hewlett Packard Pavilion Elite m9515y with 8 GB of RAM and an AMD Phenom 9850 QuadCore Processor at 2.50 GHz, running a 64-bit Windows 7 Ultimate, SP1 OS. The VMware
workstation is version 8.0 build 1035888. The OSs for the VMs are two patched Windows 7 OS,
one is a 64 bit and the other is a 32 bit OS. The final VM is a patched Windows Server 2008.
Patched systems are computers that have received and installed the latest updates (MIT, 2013).
Open source network IDS tools were used in lieu of commercial tools to provide a means
for another researcher to follow this methodology as a means of validation at a later point in
time. Plenty of open source tools are available to download and use freely without cost. The tools
chosen for this research are accepted in the networking community and perform as well as
commercial tools that require payment, called “fee-for-service”. Open source tools are generally
funded by donations. If the funding disappears, this may cause the tool to become obsolete
14
because it was not updated to keep up with changing technology and OSs. The fee-for-service
tools are generally used for enterprise networks and will keep their virus and malware detection
files updated for the company. Symantec's Norton AntiVirus (Norton) is an example that allows
individuals and enterprise entities to download its proprietary software and manage it on the
customer’s network. Norton releases patches, virus and malware updates regularly. Home users
pay a small annual fee while enterprise users will pay a larger annual fee based on the number of
clients. For instance, small businesses with 50 clients will pay $1,350.00 per year (Norton,
2013).
For the purposes of this research, the free intrusion detection system (IDS) software,
WINSNORT was installed on the three VMs as the IDS. “Snort is an open source network
intrusion prevention and detection system” (Snort, 2013). WINSNORT is a version for Snort for
Windows systems only. Snort itself can be run using the command line interface. Both
WINSNORT and Snort use the current version of Snort. The only difference is that additional
tools are required to set up WINSNORT on Windows. In each instance of testing, Snort was
installed before a virus was introduced. Additionally, each VM had a different version of virus
protection installed after the malware was introduced. Safer-Networking Ltd's Spybot version
2.1.21 SR 2 was installed on the patched Windows 7 x 64 VMs (Safer Networking, 2013).
AVAST Software's free home version 9 was installed on the Windows 7 x 32 VM. (Avast,
2013). McAfee's antivirus version 8.8 was installed on the Windows Server 2008 VM. (McAfee,
2013).
An explanation of the various network settings in VMware is necessary to understand
why this is a useful way of testing without infecting other machines on both the Internet and
internal network. The VMware Help menu explains how to set up a bridged network allowing
15
two or more VMs to be networked together. To accomplish the virtual network, certain hardware
is necessary. The host system must have two network adapters to create a virtual network with
the VMs. In this case, one of the VMs used the wireless network adapter, and the other used the
wired network adapter. The virtual network was created using the Windows Server 2008 and one
of the Windows 7 x64. VMware’s snapshot feature was used to create a snapshot at the various
stages of setup, infection and cleanup after the data had been collected for analysis. Related
Event IDs were collected and explained in detail as each virus was run against a given VM.
VMs are fully functioning computers with an OS, with the look and feel of an ordinary
desktop computer. The only difference between the VM and the host machine is the VM runs on
the host machine and does not use any physical space except on a hard drive. The VM uses the
host machine’s hardware. VMware is one particular brand of VM tools; however, Microsoft has
also enabled the ability to create VMs through its Hyper Visor. VMs are used to increase
productivity in businesses and allow businesses to create test machines before updating or
upgrading the software they use in day to day operations. VMs can also be encrypted and even
have an “expiration date” for students or companies to evaluate any business software tools
(VMware, 2013).
Most VM software allows the user to take snapshots or create clones for testing. In this
research, snapshots were used to set a baseline of the VM as originally created, and then after the
virus was introduced another snapshot was taken. Snapshots are an efficient means of testing
virus activity in an OS, as it allows the ability to revert back to the VM in its original state before
the virus was introduced without having to create the VM all over again (VMware, 2013). It is
commonly seen and used today in many technology situations including wireless networking.
Each virtual system had one virus installed: Fizzer, Zeus and MyDoom. As a precaution,
16
none of the machines were ever allowed Internet access. The machines were unable to see any
hardware on the host system except the hard drive. The printer, disk drive, USB drive and
Network were all turned off. This was to ensure these viruses did not infect the host machine or
the Internet Service Providers (ISP) network.
The event viewer open source tool, Windows Event Log Viewer (evtx_view) prototype
was used to search for all events that helped identify when a virus is installed. Windows Event
Log Viewer was also used to analyze what other Event IDs indicated that a virus is at work on a
computer or network. This tool can be used on a live host machine or the files can be copied
from one machine and examined on another that has the viewer installed (Works, 2012).
Windows Event Log Viewer shows the event in each log identified as an “R” file. Under the “R”
file the Records folder then displays the event number and the Event ID. Figure 2 below is a
screenshot of the first record as 0001 [1531]. The number "1531" in brackets is the actual event
ID and reports that a user profile service has started successfully (Microsoft, 2013).
Figure 2. Event Viewer Prototypes by TZ Works, LLC while operating this tool. In this screenshot, record 0001 indicates that
according to event ID 1531, the Windows User Profile has started.
During each phase, the investigator examined the security logs, application logs and the
system logs to determine what had changed and what had not changed. Each machine was base
lined to allow easier tracking of the changes. A base line system means the initial installation of
17
the OS has been completed, the updates are up to date, and any additional programs needed to
conduct business in day to day operations have also been installed. Each of the updated VMs had
the Windows automatic update turned on but could not access the Internet once an infection was
introduced. After infection, each VM was left running for four to six hours to allow Event IDs to
be initiated.
Key Event IDs
Due to time constraints, not all Windows Event IDs were examined. This research
focused on what events were created when a virus was installed on a system and identified
attempts to communicate with its creator. Application logging is automatically turned on by
default in the Windows OS and populates in the Application log. Normally, AppLocker is an
additional tool that would be set up on a network and works with Group Policies to prevent
viruses, which are applications, from being installed (Microsoft, 2012). While it is recommended
that AppLocker be installed in a production environment, it would prevent the virus installation,
and as such, the researcher did not install and populate AppLocker.
AppLocker helps administrators control which applications and files users can run. These
include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs),
packaged apps, and packaged app installers. (Microsoft, 2012, para. 1)
The researcher observed certain key events that occurred when a virus had been installed:
application crashes, system or service failures and Windows firewall alerts. Application crashes
were reported by Event IDs 1000-1004, Windows Error Reporting (WER) 4097 and 1001
(National Security Agency, 2013, p. 29). Event ID 1000 is an Application Error, event ID 1002
is an Application Hang notice. Event ID 1000 and 1001 also occur when a Blue Screen of Death
(BSOD) has occurred. WER 4097 occurs when a DrWatson error has occurred on Windows XP.
18
WER 1001 is also used to provide information about additional errors that occurred. Further
information can be gained by examining each event ID.
Event IDs should be collected when the system fails or after service failures. These
events are logged in the System log of Windows 7 and Server 2008 are 7000, 7001, 7022, 7023,
7024, 7026, 7031, 7032 and 7034 (National Security Agency, 2013, p. 30). 7000 and 7001 event
IDs did occur on the Windows Server 2008 x 64 VM. Event 7000 occurred on 10/29/2013 at
4:39 pm PST. Event ID 7001 was a Winlogon error that occurred on 10/29/2013 at 5:14:14 pm
PST. This occurred after the virus was installed. Event ID 7023 occurred on 10/29/2013 at
4:26:02 PM. Windows update failed events are logged in the Microsoft-WindowsWindowsUpdateClient/Operational log. The update failed events are 25 and 31. The event ID
1000 also shows when an application has crashed. This can be indicative of a virus.
Hotpatching failed event is 1009 and is located in the Setup log. The researcher did not
see the Hotpatching event in any of the VMs. Distributed Component Object Model (DCOM)
invalid permission event is 10016 and populates in the System log. This event ID was observed
to have occurred on 11/8/2013 at 10:00 am PST. Windows update failed for Windows XP is
event ID 20. Windows XP populates Event IDs 11708 and 11923 in the Application log. These
two events occur when the Microsoft Windows Installer (MSI) Installer fails (Microsoft, 2013,
para. 1).
Firewall logs need to be collected if the state goes from on to off. Those Event IDs are
2004, 2005, 2006, 2033 and 2009 (National Security Agency, 2013, p. 31). In Windows XP, the
Event IDs are 852, 851 and 854. These are populated in the Microsoft-Windows-Windows
Firewall with Advance Security/Firewall and the Security logs. Some of these Event IDs were
expected to be populated because the virus was running on a VM that was not connected to the
19
Internet.
Monitoring account logon/logoff information can be key to determine when malicious
activity has occurred if an unauthorized user appears in a privileged group. SQL injections can
be used to log on with an unauthorized username and password by using Power Shell to inject a
dynamic link library (DLL) into an existing winlogon process (clymb3r, 2013). While not part of
this research; SQL injections would be beneficial for future research.
The following user account Event IDs should be examined if malicious activity is
suspected. The corresponding Event IDs were not observed in this research, which is likely due
to the fact that the full set up of a network including privileged groups was not part of the
project. These Event IDs all populate in the Security log and are account lockout event ID 4740,
user added to privileged group event ID 4728, 4732 and 4756. The successful user account login,
event ID 4624. The failed user account login event ID 4625 and finally account login with
explicit privileges, event ID 4648. See Appendix A for further information on each event ID
identified.
Selected Viruses for Infection
Viruses are omnipresent on the Internet and a significant number of them are created on a
daily basis. Some are created by nation states and others are created by individuals. Kaspersky
stated in their 2012 report that, “exploits for Windows and Internet Explorer were the third most
popular,” compared to Oracle in first place, and Adobe in second place (Kaspersky, Security
Bulletin, 2012). In 2011, 75% of all malicious programs on the Internet were malicious URL’s or
websites (Kaspersky, Security Bulletin, 2012). Three viruses were selected for installation and
examination on the VMs: Fizzer, Zeus, and MyDoom.
20
Fizzer. The first of the three viruses that was downloaded and installed in one of the
virtual systems is purported to be financial in nature by F-Secure. Fizzer was spread through email and the file-swapping service, Kazaa. According to F-Secure, “the virus contained a built-in
IRC backdoor, a Denial of Service (DoS) attack tool, a data-stealing Trojan (uses external
keylogger DLL), an HTTP server and other components” (F-Secure, Worm:W32/Fizzer, 2013).
The keylogger file is saved so the owner of the virus can gain access via a back door in Internet
Relay Chat (IRC), HTTP or Telnet Protocols (Kaspersky, 2003). An Internet relay chat is a
separate network of IRC servers that allows users to connect to IRC. It is similar to text
messaging, except that it allows communications with large groups (IRC Help, 2013).
Zeus. The second virus selected for this research was Zeus; another malware kit that
targets personal information. Zeus was first noticed in 2007 and the code was rarely available.
Today’s cyber criminals can purchase a Zeus malware kit in the cybercrime underworld. Zeus
steals passwords and files (Weinberger, 2012). If an individual has their identity stolen, it isn’t
just their bank accounts, but also their maiden names, mother’s maiden names, date of birth and
postal address. Zeus was used to exploit LinkedIn. In September, 2010, Brian Krebs, who author
Krebs on Security, reported the new malware spam campaign that mimics invites sent through
LinkedIn:
Those that click on the link in their emails will be passed through another website that
has the SEO Exploit Pack. This is a commercial crime ware kit that tries to exploit more
than a dozen browser vulnerabilities’ in an attempt to install Zeus. ( Fake LinedIn Invite,
para 2)
21
MyDoom. The third and final malware that was installed on one of the virtual computers
was MyDoom. According to Cisco’s IPS signatures, the f variant of MyDoom affects files
ending in “scr”, “pif”, “cmd” and “exe” (Cisco, 2005). Sub signatures 1 and 2 of the f variant
affect files with attachments ending in “zip”. The rest of the sub signatures on the m variant
affect “com”, “exe”, “src”, and “pif” files. Finally, the BB variant affects files ending with “zip”
and “pif”. The Cisco IPS Signatures website shows many other viruses, their release dates and
what those viruses affect. This worm will show up in the directory, "%SysDir%\taskmon.exe"
and the backdoor location of "%SysDir%\shimgapi.dll" (F-Secure, Worm:W32/Mydoom, 2013).
According to the F-Secure website, the payload is delivered when the machine is booted after the
1st Sunday of February at 16:09:18(UTC) according to the infected systems clock. It launches a
Distributed Denial-of-Service (DDoS) at www.sco.com (F-Secure, Worm:W32/Mydoom, 2013).
The investigator found that www.sco.com is now Xinuos and is the home of SCO UnixWare and
SCO OpenServer (Xinuos, 2013). A DDoS “attack is one in which a multitude of compromised
systems attack a single target” (Rouse, 2013). The next step was to set up the IDS on each
system.
Processing a Compromised Machine
The first step in protecting the OS is to update all of the applications on any computer,
install and update a virus protection and maintain the updates. The forensic investigator has a
responsibility to collect the image and files related to a specific case based on the search warrant
or the guidelines set forth by the corporation they are supporting. In all cases the evidence will
likely be admitted in court so the examination of the files and volatile data should be conducted
with the utmost of care in a forensically sound examination by collecting an image of the system.
This can be accomplished on a live system by connecting an external hard drive and running the
22
software from that tool. An example of a free, but not open source imaging tool is AccessData’s
FTK Imager Lite v 3.1.1 (AccessData, 2013). Mandiant’s Redline, Access Data’s Forensic Tool
Kit and Guidance Software's EnCase are all tools that can be used to collect and examine the
images of a targeted system. Some of these tools are free and all of these tools will require
testing and documentation by the investigator to show they understand what each tool might
change on a live system. Once the data is collected, it can be parsed and examined for evidence
of the type of breach or threat that may have occurred.
Not all Windows event logs are displayed via the Event Viewer in the Windows OS. In
Windows 7, 8 and Windows Server 2008, the Internet Explorer (IE) log is not enabled by
default. Research was conducted to turn on these logs. The standard method to turn on the logs is
to turn off the Delete Browsing History in the Internet Options. This will show the temporary
Internet file (TIF) storage location. In Windows 7 using Internet Explorer 10, the file would be
stored in the User's default TIF location. In this case it would be in,
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\Tempory Internet Files\, as seen
in Figure 3.
23
Figure 3. Temporary Internet File Locations. This shows the locations of Temporary Internet Files. This screenshot displays the
location of the Temporary Internet Files on the computer under Current location.
Another way to “enable IE event logging is by creating a new DWORD registry value
named Feature_Enable_Compat_Logging” (Tulloch, 2012). When testing this method, the
Windows 7 file tree in the registry editor stopped at HKCU\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl. The \Feature_Enable_Compat_Logging and the iexplorer.exe
DWORD were added and events began populating in the Internet Explorer log under
Applications and Services. The Windows registry contains the Internet Explorer registry key.
The Feature_Enable_Compat_Logging registry key was added along with the sub key
iexplorer.exe to attempt turn on the Internet Explorer log (see Figure 4).
24
Figure 4. Registry File Tree HKCU\Software\Microsoft\Internet
Explorer\Main\FeatureControl\Feature_Enable_Compat_Logging
Each virtual system was verified that all updates had been completed and that there was a
good connection via the Network Address Translation (NAT) in VMware to the Internet. The
Techterms website defines NAT:
NAT translates the IP addresses of computers in a local network to a single IP address.
This address is often used by the router that connects the computers to the Internet. The
router can be connected to a DSL modem, cable modem, T1 line, or even a dial-up
modem. When other computers on the Internet attempt to access computers within the
local network, they only see the IP address of the router. This adds an extra level of
security, since the router can be configured as a firewall, only allowing authorized
systems to access the computers within the network. (2013, NAT, para 1)
NAT allows the internal network to remain secure from attacks originating outside the
network. The router used for this research only allows those systems authorized by the network
administrator to access the network. The router is a Cisco Linksys E3000; Wi-Fi Protected
Access 2 (WPA2) secured, and supports NAT (Linksys, 2013).
A snapshot was taken after the updates and before any malware or searches were
completed on the VMs. In the interest of time, a third party tool was used to collect the event
25
logs for evaluation. Mandiant Redline was updated to support Windows 7 and 8 in both x 32 and
x 64 bit systems (Mandiant, 2013).
Redline was also verified by running and collecting an image using a 64 GB USB Drive.
The audit was then examined using Redline. The first system tested was the Windows 7 x 32
VM. Mandiant’s user guide was easy to follow and facilitated the examination efforts well.
The RunRedLine batch file was executed and the test collection was completed.
However, after running Redline and analyzing the file, Redline provided an error message stating
the file was empty. Checking with Mandiant’s technical support, it was discovered that the image
file was not created. Despite selecting all of the browser history and event logs, the collection did
not occur. Personal correspondence via email with Mandiant's help desk resolved the problem by
recommending the entire collection file be moved to the desktop of the machine being collected.
Figure 5 is a screenshot of the batch collection in progress. The full path of the event logs and the
event log names themselves, were entered in the advanced tools. The log names were then
changed to reflect the correct logs in each path.
Figure 5. RunRedLine batch file while the imagewas collected.
The Tor Browser also known as The Onion Router (TOR) was downloaded and
extracted onto a USB Drive so it could be used without installation onto a VM or Host System
(Project, Tor Project Download, 2013). Tor Browser is an open source tool that can be used to
26
surf the Internet anonymously. Tor allows the individual to go to various websites without using
an IP address that is assigned to them; rather Tor uses a pool of proxy servers to issue IP
addresses masking the true IP address of the source machine. The Tor Project is the open source
organization that created the browser used for this research. The Tor Project established a
network of proxy servers that are privately and publically owned. Similar to any organization,
they have companies that provide funds for managing the relays in addition to private
contributors that provide code writing/testing and the proxy servers used for the relays (Project,
Sponsors, 2013).
Tor does not have to be installed on a computer for it to be used. Running the Tor Brower
from a USB device, little trace is left on the system if it is compromised. In an effort to duplicate
the type of clandestine browsing that a cybercriminal might employ, Tor Browser was run from a
thumb drive. The Tor Browser does not keep history on the websites visited using that
application. Tor Browser changes the Public IP address that is broadcast to the Internet to hide
the identity of the person or organization using the tool. Law enforcement, human rights
activists, cybersecurity personnel and governments use this tool for their protection (Project, Tor
Project: Overview, 2013).
The more people who use the tool, the more the anonymity of the individuals are
protected (Project, Tor Project: Overview, 2013). Tor uses a minimum of three servers to pass
traffic that is encapsulated and encrypted, which ensures privacy. Unlike a VPN which uses only
one specific server for an organization. Tor sees the real IP at the first server, but not the content
or the destination. Tor is a dynamic network which makes it difficult for the person or group that
is trying to spy, to do so. It is not meant for the user to log into their bank account, etc. This will
identify a user and will enable the “spy” to trace the user (Lambert, 2013).
27
Forensically, the VM or the host machine will show that a USB was used and even the
application it used (Tor Browser). The exit nodes, or last relay server, can be traced, which will
show the unencrypted data upon exiting the Tor network. If a private individual or company
allows their server to be used as a Tor exit node, and a criminal uses Tor to transmit child
pornography, that individual can be arrested for distributing child pornography (Goodin, 2012).
This means that while Tor can be used to keep Internet activities private, it can also be used
against the individual using it, if they are being investigated for a crime, even if they are not the
person committing the crime. This tool was used in this research simply to collect and download
the viruses needed during this project.
After searching Google for the MyDoom virus in the Tor environment, it was
downloaded while still in Tor Browser to the download file of the Windows 7 x 32 VM
(Downloadviruss, 2012). The VM did not have virus protection software installed. The virus was
not extracted and installed at the time of download. The same process was followed on each of
the other two VMs when the investigator searched for and then downloaded Fizzer and Zeus.
The NAT was turned off on the Windows 7 x 32 VMs. NAT was turned off as a
precaution to contain any viruses downloaded and installed on the VM from infecting the host
machine or the network that the host machine was connected to. All of the hardware was turned
off by removing access to everything but the hard drive. MyDoom, was installed on the
Windows 7 x 32 VM. A password was provided at downloadviruss.wordpress.com that allowed
MyDoom to be downloaded (Downloadviruss, 2012). Event ID 1000 to 1004 is a possible
indication of hacking attempts (Steel, 2006). The service performance logs were stopped and
Event ID 1000 was entered into the Application logs as seen in Figure 6. The infected Windows
7 x 32 VM was left running for 5 hours to allow Event IDs to be recorded, ending at
28
approximately 05:00 am. Mandiant Redline was used to collect the image for the MyDoom
infected Windows 7 x 32 VM.
Figure 6. Application Log Event ID 1000 showing possible virus.
Mandiant was then executed to analyze the Windows 7 x 32 images that were previously
collected. There were 23 hooks that were suspicious or untrusted. However, there were no IDT
hooks. IDT hooks are usually made by malicious software and are Interrupt Descriptor Tables
(Phrack, 2002). Further defined:
The Interrupt Descriptor Table (IDT) is an internal data structure used by the operating
system in processing interrupts. Devices use the IDT to process events in the operating
system. The IDT is a data structure often exploited by rootkits. [4] By subverting the
IDT, the attacker can point critical items such as the keyboard interrupt to a different
function. Using this method an attacker can then insert malicious code to be executed
when certain interrupts are run. (Quist & Smith, 2013, p. 1)
The Zeus Trojan was downloaded on the Windows 7 x 64 VM using the Tor Browser,
from the website, “malwaredomainlist.com" (List, 2013). This is a website for security
29
professionals to download viruses for testing purposes. After the Zeus Trojan was installed and
the NAT was disconnected from the host machine, the infection was verified by checking the
event logs and finding the Event ID 1000 in the application logs. The Windows 7 x 64 VM was
left running for 3 hours while the Zeus Trojan was running on it to allow Event IDs to be
recorded. An image was then collected of the Windows 7 x 64 VM. Figure 7 displays the event
ID 1000 that occurred immediately after the Trojan was installed.
Figure 7. Zeus Trojan Installation. This figure displays Event ID 1000 to verify that Zeus Trojan was installed.
Fizzer was downloaded on a Windows Server 2008 through the Tor Browser at the
"http://openmalware.org" website. The Fizzer version selected was added on September 13, 2012
to the malware website and is identified as W32/Fizzer.A@mm. It has an authentication
password of “infected”. Fizzer was installed on the server.
30
Figure 8. Fizzer Virus Installation. Fizzer installed on Windows Server 2008 Virtual Machine.
After letting the virus run for four to six hours to allow Event IDs to be recorded, the
image was collected for analysis. The Server 2008 and the Windows 7 x 64 VMs were placed on
a host-only internal network before collecting the image for the Server. Throughout the research,
several attempts were made to cause the Event IDs of 5148 and 5149 to be created, but those
Event IDs were never observed in the log. Windows Defender was running and the Windows
Defender logs were also examined for 5148 and 5149 Event IDs. These Event IDs were also not
present in the Windows Defender logs. Further research on the use of these two Event IDs show
that they only appear in Windows Server 2008 R2 and not in Windows 7 (Microsoft, 2013).
“Windows Defender is the first line of defense against spyware and other unwanted software”
(Microsoft, 2013, p. 1). According to Microsoft, Windows Defender has less impact on the
performance of a computer and it provides one-click purging of all suspicious software.
The EventLog Viewer tool was used to examine the event log files for each of the VMs.
The first log files to be examined were the Windows Server 2008 VM. Event ID 900 is a
connection request from when the server was initially booted up and it attempted to connect to
the newly created host-only internal network. The logs were verified to show that there are
numerous entries of event ID 1000 to 1004 which has been identified to mean there is possibly a
31
virus on this system (Steel, 2006). The investigator installed a second virus, Fizzer, on the
Windows Server 2008 x 64 VM. This virus can cause a Denial of Service (DoS) and provides a
back door access for the creator of the virus. These additional Event IDs, 4625 and 902 could be
part of the attempted communications from Fizzer. Normally, Event IDs will have a username or
the system itself associated with the activity that caused the event. Event ID 4625 does not
contain the user account name on a computer that is running Windows Vista, Windows Server
2008, Windows 7, or Windows Server 2008 R2. Figure 9 is a screenshot of the Application log
in the Windows Server 2008 x 64 VM.
Figure 9. Windows Server 2008 x 64’s Application Log. The number in the [ ] is the event ID.
In the Windows Server 2008 VM, the Security log has event ID 4902, which is an “Audit
Audit Policy Change” (Microsoft, 2013). This could be related to the attempted change to the
Internet Explorer log to cause it to log browser events. The event ID 4624 assigns special
privileges to new logons. This occurred at the time of the Fizzer install and continued until the
machine was powered down. This could be another Event ID that is associated with a virus
attempting to communicate with its creator. Figure 10 is a screenshot of event ID 4624 using the
32
EventLog viewer.
Figure 10. Event Log Viewer after Fizzer installation. Event Log Viewer showing event ID 4624. This coincides with the
installation of the Fizzer virus.
The event logs for the Windows x64 VM and the Windows x32 VM with the same results
as described above. Event ID 4624 showed when the Zeus and the MyDoom Viruses were
installed. In the Windows x64 VM and the Windows x32 VM, there were too many entries of the
1004, 1001, 1003 and 1000 Event IDs to count in the Application logs for both systems. These
IDs are associated with a virus. There were multiple entries where the Windows x64 VM could
not communicate with a server as evidenced by the Event IDs of 8212 and 8196. These events
could be triggered by the Zeus virus trying to communicate with its maker, or the Windows x64
VM’s inability to communicate with the Windows Server 2008 VM.
The two way communication between the Server and the Windows x64 VM had already
been verified to work by establishing a remote connection into the Windows x64 VM from the
Server VM. All of the events IDs were verified on the EventID.net website and the Microsoft
TechNet website. Event ID 4907 in the security log shows that auditing settings were changed.
This could be associated with Zeus because the auditing settings were not changed by the
investigator. There were over two thousand 4907 events in the security logs. Event 4672 is
33
associated with assigning special privileges to a new logon. This occurred at the time that the
Zeus virus was running without the system being shut down. Event ID 4624 is associated with an
OS special login of Data Name="SubjectUserSid">S-1-5-18</Data>. This was seen near the
4672 Event IDs in the security log. The 5148 and 5149 Denial of Service Event IDs did not
populate on any of the three test systems.
The Avast antivirus was installed on the Windows x 32 VM. After installation and
updates, Avast was run to determine if the machine was still infected with the MyDoom virus or
any others that may have occurred. However, at the end of the scan, there were nine files that
could not be scanned. Those files are displayed in Figure 11 below.
Figure 11. Avast virus scan results. These files could not be scanned by Avast.
McAfee Internet Security version 8.8 was installed on the Windows Server 2008 VM.
After installing the virus protection, the VM was re-infected with Fizzer. Almost as soon as the
virus was installed, McAfee caught and quarantined the virus. This test was completed to show
the importance of keeping all networked tools as secure as possible. Figure 12 shows the
quarantined file.
34
Figure 12. McAfee blocking the Fizzer virus, which produced a pop up window notifying the user.
Setting up WINSNORT
The WINSNORT software was installed on the Windows 7 x 32, Windows 7 x64 and the
Windows Server 2008 VMs. The investigator must verify which version of Windows they are
using due to the fact that the WINSNORT guides were created to cover different versions of
Windows and Database tools (Steele, 2013). The instructions for installation on a Windows
machine can be found at "www.winsnort.com". Before Snort can be installed, several other
programs need to be installed. All of the software tools must be downloaded from the
WINSNORT website for the tools to work. The first is WinIDS created by Michael E. Steele
from the WINSNORT website (Steele, 2013). This was installed without running a scan after
installation. The next software tool is WinPcap v4.1.3, followed by Snort 2.9.5.5, snortrulessnapshot-2953, Rule Documentation, Strawberry Perl 5.14.2.1, PostgreSQL Database and PHP
5.5.5 NTS (VC11). In the online guide under my setup is a classical Windows Intrusion
Detection System (WinIDS) deployment section, Michael Steele explains what this setup does.
The Snort detection engine will be running in passive mode, logging events to a unified2
log file. Barnyard2 will be processing the Windows Intrusion Detection Systems
35
(WinIDS) unified2 log files. A PostgreSQL-driven database will store processed
events/logs for further analysis. Internet Information Services 7.5 / 8.x web-server will
drive the Windows Intrusion Detection Systems (WinIDS) analysis GUI console. BASE
will serve as the web-based Windows Intrusion Detection Systems (WinIDS) events
analysis GUI console. (Steele M. , 2013)
The various software tools for WINSNORT to work as an IDS are described here.
Windows Intrusion Detection System (WinIDS) is installed first. The WinIDS package for
WINSNORT has been developed by Michael Steele. The Deployment Image Servicing and
Management (DISM) tool is installed via command line for all version of Windows after Server
2008 (Steele M. E., 2013). Another tool to be installed is WinPcap. The Introduction to WinPcap
states “WinPcap is the packet capture and filtering engine for many open source and commercial
network tools” (WinPcap, 2013).
Following the instructions to the guided install, the command prompt was opened as an
Administrator. The two commands entered were: "d:\winids-sp-x32-09.17.13.exe" followed by
"d:\temp\modder.vbs". The Installing Core Support files section then requires the modder.vbs to
be executed. The modder.vbs contains a script that installs Notepad2, tartool and the WinIDS
hostname host file (Steele M. E., 2013). These commands also turned off the User Access
Control, installed Microsoft Visual C++, Unzip and tartool. This also set several registry keys
according to the WINSNORT installation guide (Steele, 2013). The installation of the tools in the
modder.vbs forced the system to restart after installation.
The next tool installed is WinPcap using the command: "d:\temp\WinPcap_4_1_3.exe".
The following tools were installed as instructed by the guided install: Snort, Snort rules,
Strawberry Perl, Syslog, Internet Services and moveiis7-8.bat. Snort is a standalone intrusion
36
detection and prevention (IDS/IPS) tool produced by Sourcefire (Snort, 2013). The Snort rules
are developed and tested by Sourcefire’s Vulnerability Research Team (VRT) (Snort, 2013). The
Strawberry Perl version 5.14.2.1 via command line (Strawberry Perl, 2013). Strawberry Perl is a
Windows compatible version of the Practical Extraction and Reporting Language (Perl, 2013).
The Internet Information Services 7.5 for Windows 7 is already installed on the Windows OS
and only needs to be turned on in the Windows Features (Steele M. E., 2013). The WinIDS
security console was installed followed by Barnyard2 and the PostgreSQL Database server.
“Barnyard2 is a dedicated spooler for Snort’s unified2 binary output format” (Github, 2013).
PostgreSQL is an “open source object relatable database system” (PostgreSQL, 2013). The
“ADODB is a database extraction library for PHP” (Sourceforge, 2013). The ADODB and the
PHP was installed followed by the command to update the sid-msg.map file. The sid-msg.map is
used by Barnyard2 to input the names of the events in the database (Steele, 2013).
In order to use Snort, the Snort.conf file has to be changed. The rule path, the dynamic
engine and the dynamic preprocessors all need to be changed to "D:\Snort\rules". Figure 13
shows Snort running on all three Windows VMs. After configuring the Snort.conf file according
to the instructions on the WINSNORT website, it was successfully tested one last time to ensure
that it completed successfully.
Figure 13. Final execution of Snort using the command d:\winids\snort\bin\snort -cd:\winids\snort\etc\snort.conf -l
d:\winids\snort\log –i1 –T.
37
The next step following the installation of the php.ini file and making the necessary
changes to the php.ini file using Notepad2 was to open the iis.msc file through the command
line. In the iis.msc GUI interface, the Sites file was expanded and the Handler mappings were
opened by the investigator. Under the Add Script Map, the request path, the Executable and the
Name dialog boxes were filled out and are displayed in Figure 14.
Figure 14. Setup of the IIS Manager in Windows. This figure displays the path, executable and the name of the IIS Manager.
After the IIS Manager was changed to PHP, it was reset and restarted. The
"http://winids/test.php" file was then opened to verify that all of the required paths were correct.
These paths were the "d:\winids\php\php.ini", "d:\winids\php", "d:\winids\php\pear" and the
"c:\windows\temp files". When the test was completed, the
"d:\winids\inetpub\wwwroot\test.php" file was deleted. Snort was then added to the Windows
Services Database as shown in Figure 15 for all three Windows VMs.
38
Figure 15. Installation of Snort as a Service. /SERVICE /INSTALL command is displayed indicating successfully added to the
registry and local machine.
The PostgreSQL Database server was started and creating the databases for the Windows
IDS. The WINSNORT guided install has the commands used to create the databases. The
command listed was “create database snort;” (Steele, 2013). The final three steps were to
configure the Barnyard2.conf file, set Barnyard2 to auto-run and run the WinIDS security
console. Barnyard2 is used to display the information collected using Snort and PostgreSQL in
the host, WinIDS Home. This last step was completed by opening a browser and typing
“http://winids” in the URL. The Barnyard2 console was started immediately on reboot and works
with Snort to display the incoming traffic on the "http://winids" URL. Figure 16 shows
Barnyard2 console after reboot.
39
Figure 16. Barnyard2 after reboot in finalizing the WINSNORT IDS.
Three different viruses were installed to demonstrate how WINSNORT could be used in
conjunction with an Antivirus to protect a system. Some of the Event IDs were identified in
conjunction with a virus installed on the test systems. This was to educate other investigators
what exact Event IDs to look for when the defense has stated, “a virus did it,” also known as the
"Trojan defense." The investigator conducted an examination of the images taken with Mandiant
and the event logs viewed in the Evtx_view tool.
Whitelists and Blacklists
As part of the research process Event IDs were loaded into the Whitelist and the Blacklist
on the VMs during the WINSNORT Installation. However, these logs were also collected and
viewed using the Event Viewer third party tool. A Whitelist identifies items that are not
forbidden and has multiple uses; most commonly whitelists are known for use with valid domain
names, authorized websites and a list of applications a user is authorized to run in an
organization (PC Magazine, 2013). In contrast, an Application Whitelist looks for applications
that have been blocked from execution, meaning they will be drawn to an analyst's attention
(National Security Agency, 2013, p. 28). A Blacklist is commonly associated with a list of email
40
addresses or domains of known spammers, applications that a user is forbidden to run and
websites that are off limits or considered dangerous (PC Magazine, 2013). Again in contrast,
black listed applications or events are items that the analyst wishes to ignore.
Whitelist Event IDs that are automatically collected are 1001, 64004, 2, 5, 4688, 4697,
4698, 4624 and 4625 and system 7034 to name a few. Some of these Event IDs were listed in the
log files collected from all three VMs. Event ID 7034 is created when a virus protection program
is terminated unexpectedly. Event ID 4697 was created when a new service was installed. This
occurred after the viruses were installed and again when Snort was added as a service. The
default Whitelist was used in the WINSNORT setup.
Blacklist events are events the analyst does not want to collect or be notified about. They
are identifiable as Event ID numbers like 5156-5157 (Microsoft, 2013) or as URLs. These events
appear when a firewall acceptance or denial takes place in the Security log. Other items which
may be included on a Blacklist are specific IP addresses and URLs known to install viruses on a
system. Due to the large amount of traffic through a firewall, maintaining a log would be far too
costly in terms of expense and data space to be either sustainable or reasonable. Accordingly,
were a log to be maintained, the return on investment does not justify the expense of time in
review for events having a nominal impact on a report resulting from digital forensic analysis.
The Blacklist from Snort, for example, listed over 2000 lines of website URLs that were blocked
by WINSNORT. Blacklists reduce the amount of data that a forensic analyst would be required
to examine.
Discussion of Findings
In litigation, hackers may attempt to evade prosecution or establish innocence by alleging
a virus to be responsible for that which they are accused, such virus not being their creation.
41
Event IDs may be used to mitigate or negate such defenses altogether. When considering viruses,
it’s worth exploring how a virus could be obtained without first party direction from any one
individual and the nature of viruses as it pertains to Event IDs.
Viruses generally slow a computer down and can provide a means for nefarious hackers
to steal a user’s identity. Steps can be taken to safeguard against most computer virus infections,
such as maintaining the most current version of an OS, utilizing an anti-virus and anti-malware
application, which also requires regular updates, and enabling security features of the internet
browser. Computer users are barraged with safety tips, software, and tricks in the interest of
protecting themselves, their information, and the integrity of their systems nearly every time they
log into a browser. Unfortunately, some of the more basic protections afforded by maintaining a
current version of the OS are often unavailable either due to a willful disregard for the prompts
provided by the OS to update or because users are unsure the process to do so. Users may not
understand the impact neglecting such simple security measures could have on their systems.
Leaving systems vulnerable may enable hackers to break into a computer or a computer network.
Hackers look for systems that have not been updated so they can take advantage of that
vulnerability. Once inside a system, a hacker might steal valuable personal information, security
information, or seize control of a system to spread other viruses or malware. Many types of
viruses and malware exist to seek out such opportunistic machines, which may not be the work
product of a hacker being prosecuted.
Research referenced herein was conducted to document, for investigators, some of the
Event IDs that should be identified and further scrutinized in an investigation. This is especially
important in cases where the defendant is claiming the computer was infected with a virus and
was used to perpetrate a crime by another person. The methodology and testing were designed to
42
identify and test some of the free tools investigators may employ. The steps delineated in the
research documented various means of collecting event logs and best practices investigators use
today.
The tools used were the Event Log viewer within Microsoft’s Windows OS, the
EventLog Viewer tool created by TZ Works, Mandiant’s Redline Tool and Michael E. Steele’s
WINSNORT with PostgreSQL. These tools were used on three virtual machines; one Windows 7
x64, one Windows 7 x32 and one Windows Server 2008 R2. The Antivirus tools used were
Avast Home, Spybot and McAfee.
There were some glaring discrepancies identified throughout this research project. One of
the most difficult to overcome was the need for clearer indications as to why a particular event
ID shows up in application and security logs. Digital forensic investigators are not trained to
identify what these events mean or why they occur in the first place. The network administrators
that were consulted during this project also did not have clear explanations of why certain Event
IDs occur and only referred to Microsoft’s technical websites. Network administrators look
specifically to see what events occur on their network that are normal, called setting a baseline,
then relies on IDS tools to tell them when something is abnormal, deviates from the baseline, or
both.
Network administrators normally do not examine traffic to determine if they are receiving
a DDoS or a DoS when they are having network issues. The first step is usually to assess the
physical network, the Firewall and the IDS tools. The Networking and Security book, under the
"Monitoring the Performance of your Network" section states, “Some of these tools will notify
the network administrators about slowdowns, overloaded servers and other signs of trouble
before they affect staff and patrons” (Techsoup, 2013). Larger organizations may not deploy
43
network administrators to examine these types of logs at satellite locations. These services are
often provided by regionalized offices. It is standard practice that an organization would have
proxy servers that control all traffic before an outside connection is linked to their public facing
website.
Chad Steele identified the Event IDs 1000 to 1004 in his textbook as a possible link
indicating a virus has been installed on a system (Steel, 2006, pp. 247-270). Beyond Steel's
assertions, this research identified that Event ID 5 was generated when a virus had been installed.
Event ID 5 populated the application log and was generated by antivirus software when the virus
was detected on the system. During the baseline phase of each Windows VM, Microsoft’s
Windows Defender was automatically installed and updated. This event may have been
identified by Windows Defender since there was no antivirus software installed on the images at
that time. Event ID 4097 may indicate when a hacking attempt has been made. This has been
known to occur with the Dr. Watson virus but also showed up with Fizzer, Zeus and MyDoom.
This event ID was prevalent after the three viruses were installed on each of the VMs.
This research was able to corroborate that event ID 1000-1004 populates in the event logs
when a virus has been installed on a system, as Steel indicated. The 1000-1004 event IDs did not
populate until after the virus was introduced to the systems. These events were also verified in
the NSAs report, published in 2013, concerning the use of Windows event logs to spot the
adversary (National Security Agency, 2013).
The Security logs record when a system has been successfully logged on or off. It will
log when a user created, modified or deleted a file. If the user attempted to access a resource, but
did not have access, the log will display an Audit Fail message (Microsoft, 2013). This event log
may be used to corroborate when a virus that is attempting to determine the administrator
44
username and password attack has been attempted using a dictionary or brute force attack.
According to Microsoft’s TechNet website, the 5148 and 5149 events are only seen on
Windows Server 2008 R2 and newer Windows Servers (Microsoft, 2013). During this research,
no server was set up outside of the firewall, which may explain why these two Event IDs did not
appear. The research also did not use a proxy server. A proxy server is used by security
researchers, criminals and some tech savvy home users for privacy and security. Proxy servers
are point to point connections. When used by corporation's VPNs, they are often connecting to
their internal networks via a tunnel through a proxy. Proxy servers strip the originating address.
Whether you use a VPN, which relies on a protocol like PPTP to encapsulate your
packets securely, an SSL proxy, a Socks proxy, or even a simple web gateway (which
doesn't actually provide you with any encryption) they all have a couple of features that
are similar. The basic principle is that the server is relaying those packets for you, and
stripping the originating address. Instead of your own IP address, they only see the proxy
servers. That also means if you connect using the previous example, instead of thinking
you're in Seattle, every site you connect to will think you're sitting right there in the
Dallas corporate office. (Lambert, Patrick, 2012, p. 1)
Without using a proxy server, it is possible that event ID 5148 and 5149 did not appear
due to the fact that the Internet was connected through a public ISP. The firewall provided by the
ISP and their proxy servers might have blocked the attempted DoS attacks. Further research is
required to determine what conditions invoke 5148 and 5149 IDs.
Event IDs are a crucial tool in forensic analysis. More documentation and research is
necessary to understand the extent to which these IDs may be used in evaluating forensic
information. The lack of examiners to handle the investigations and the research limits the
45
resources to test and document all Event IDs. Forensic investigators generally go from one case
to another without being able to share their findings with the community. The failure to
document means the case details are eventually forgotten, leaving a knowledge gap in the
community, highlighting the need for improved documentation practices and peer-to-peer
education within the profession.
Microsoft is a for-profit company providing software and Internet resources for business
and academic professionals in Information Technology. However, the company is not able to
share all of the Event IDs and the purpose behind each because some information is proprietary.
This means digital forensic investigators need to share their own knowledge with the rest of the
community. Two key Event IDs that need to be further examined are 4688 and 592. Both event
IDs identify when a new process has been created. Investigators should always look for a
common process name that is misspelled as this can be a malicious program (Anthony, 2013).
During this research no common processes were found to be misspelled.
Each of the VMs' hard disk size in this research was 60 GB in size and it took a
significant amount of time to collect the images for each machine. Once the images were
collected, the examiner used Mandiant tools to examine the contents of the images, looking for
signs of the viruses being downloaded and installed. The files were downloaded using Tor
Browser, and purposely installed the viruses for testing. During the research, prior to
downloading the viruses or using the VMs, an unplanned drive-by infection was received on the
host system that was immediately quarantined by Norton. A drive-by infection is a web-based
malware attack that occurs without the user knowing it has happened (Levinson, 2012). This
drive-by was received from a website while seeking the Fizzer virus and provided another
example of why it is important to keep antivirus software updated during the research process.
46
Mandiant Redline was used to collect the images of the VMs for examination by the
investigator. Redline has to be placed on the desktop of the system the investigator is examining.
This requirement caused a change to the machine during the analysis process, which is
acceptable in a court of law, as long as the investigator articulates in the report what changed and
why it was necessary. In fact, it is a common practice during a live analysis. The Mandiant guide
was consulted several times during the research and was deemed a good resource for guiding a
digital forensic investigator who might be using the software for the first time.
Although Redline was used to collect and examine the images, it failed to collect the
event logs requested. The collection tool has an Advanced Settings required to identify the path
to the event logs. The file paths were correctly identified and inserted into the tool. However, the
event logs were missing and due to time constraints, an alternative tool was used to examine the
event logs. The viruses were located using Mandiant by looking at the “Downloads” file in each
image. This was the proper location where the viruses had been placed by the investigator during
the set up phase of the research.
WINSNORT was set up in each of the systems; however, initially viewing the results was
unsuccessful in the WinIDS tool due to the registry changes that had extra symbols inserted in
the location files. Following personal communications with the WINSNORT developer who
viewed the configuration logs and the screenshots, it was determined that there were extra
symbols in the final setup of Barnyard2. The WINSNORT developer also identified the name
and location of the required files which had previously resulted in the local http://winids security
console failure. This was corrected by returning to a previous snapshot and reinstalling
WINSNORT using the Windows Server 2008 and Windows 7 (Steele, 2013). The http://winids
local file then correctly displayed the output from Snort and PostgreSQL.
47
Antivirus tools are not perfect and can be easily defeated by well written programming
code. When Fizzer was installed, it looked for any processes that had NAV, SCAN, AVP,
TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS and NMAIN and attempted to end the
processes (Liu, 2003). These processes are all associated with antivirus tools. When Fizzer was
installed, there was no antivirus installed on the systems so it did not find those processes. The
Fizzer virus did attempt to talk to irc.awesomechat.net but was unsuccessful because the VM
was not connected to a network. This was verified in the image of the VM collected with
Mandiant.
The research of this paper was conducted to analyze Microsoft Windows event logs for
artifacts that may be pertinent to an investigation. Throughout the research, examples were
offered of how investigators can use Windows event logs in forensic investigations. Three
viruses were obtained and installed and the event logs analyzed to demonstrate how investigators
should approach the various types of breaches when collecting data from Windows event log. In
all methodology and testing, best practices were utilized to illustrate best practices to analyze
Windows event logs.
Future Research Recommendations
This research analyzed several Windows event logs for artifacts that can assist
investigators in halting an attack or identifying an insider threat. Demonstration models were
created to illustrate the various breaches that might require a forensic examination and how an
investigator might use event logs during the course of an investigation. The research identified
and discussed the best practices to follow when faced with certain types of breaches or threats.
Finally, the research suggested and demonstrated techniques for efficiently parsing log data.
Several other aspects of using event logs to aid an investigation should be explored.
48
Digital forensic analysts typically do not view event logs on a server unless they happen
to be responding to a request by a corporation that complains of a hacking incident. This research
corroborated that Event IDs 1000-1004 do populate in the Application logs when a virus has
been installed. However, two of the events IDs 5148 and 5149, were not observed during the
research. These Event IDs indicate that a DoS has started and stopped respectively (Microsoft,
2013). After repeated attempts to invoke the 5148 and 5149, further research indicated that the
Windows Server 2008 VM set up would not have provided the logging of those events. Most of
the logs showed an attack after a virus had been installed; it was not true for the DoS events only
occur under certain server set ups.
Due to research time constraints, the specific server set up for capturing the DoS Event
IDs 5148 and 5149 should be further investigated, the proper server conditions set, and the
events invoked, in a testing methodology similar to this research. Once the server is set up to
include Windows Defender and install the virus, the investigator would need to document what
Event IDs populate. Brief research has indicated that the server should be networked internally
with at least one client. In addition, it is likely these Event IDs will appear on the proxy server
and not the public facing server. Time constraints did not allow for setting up the proxy server
logs to populate in a log collection server. According to PC Magazine’s Encyclopedia, a
definition of a Proxy Server is:
A Proxy Server is a computer system or router that breaks the connection between sender
and receiver. Functioning as a relay between client and server, proxy servers help prevent
an attacker from invading a private network and are one of several tools used to build a
firewall. (PC Magazine, 2013, para. 1)
One minor difficulty experienced during this research was with the Mandiant Redline
49
program. The program requires the exact location of the event logs being collected to be
configured in the collection tool's Advanced Settings. The logs were not successfully collected
with the image. A second tool was employed to complete the analysis. It would be beneficial to
have a single open source tool to collect the image as well as the event logs. Open source tools
afford investigators on a budget the opportunity to complete the same tasks that that can be
accomplished using commercial software such as EnCase and FTK. Open source tools also
provide an opportunity for improved collaboration across the profession which could result in
better, more specialized tools, than closed source commercial tools. Mandiant's guide for Redline
was fairly helpful. However, it did not explain that the collection tool had to be dropped on the
desktop of the system the image is being collected from, a key step in the collection process.
While this seems a simple issue to overcome, the lack of this critical detail increased the research
time. Most investigators are working under time constraints and would benefit from complete
and thorough instructions. It is recommended that Mandiant include this detail in the
instructions.
The NSA’s 2013 report Spotting the Adversary with Windows Event Log Monitoring is
another resource to consult when setting up the server. By the time this resource was discovered,
there was no time to fully implement this guide during this research. Had the report been
discovered early in the initial research, the directions beginning on page 4 of the NSA report
would have been followed to set up the testing environment. One server should be set up to be
the event log collector in a local subnet. This is to avoid confusion and security related concerns
(National Security Agency, 2013, p. 4).
Another means of testing that could have been employed in this research process would
be to set up a penetration testing lab. A good source to start with is the Rapid7 network
50
penetration lab (Kirsch, 2013). Rapid7 describes how to set up a penetration lab and recommends
what services need to be running on each virtual system.
There is information on Windows events available via Microsoft web sites and other
resources on the Internet, but very little explains how they can be used in a digital investigation.
A third recommendation to further the objectives of this research would be to create a list of all
Event IDs that would be pertinent to a digital forensic investigation. One way this can be done is
to identify every known event ID that shows a virus was installed, what the event ID is, how it
was created and determine what other events occur in tandem with those already known. This
would benefit all examiners.
During this research the vague descriptions of the Event IDs on the Microsoft website
increased the amount of time required to determine what invokes the Event ID and what it
means. Microsoft will tell the IT professional that a particular event ID can be fixed and how to
fix it. However, it doesn’t necessarily explain what invokes the Event ID. Further research
describing why a particular event is important to the investigation of a network or an individual’s
home system will go a long way to narrow the scope of an investigation. Microsoft has an event
log description Excel spreadsheet that can be used as a starting point (Microsoft, 2013). One
series of events that would be beneficial to the digital forensic community is 5063-5070. These
events are related to cryptographic context, function and modification. This would be useful
when looking for evidence of files that have been encrypted and can help corroborate when those
files were encrypted.
SANS published an Intrusion Cheat Discovery Sheet that can be used when trying to
determine if any registry files were changed (SANS Institute, 2013). Viruses can be installed
with the intent to check the registry files to determine if anything has changed after installation.
51
As identified earlier, Event IDs will denote the installation of a virus as is done when any new
service has been started or task scheduled by populating an Event ID 4697 or 4698.
The event ID 4624 is a log-on event and one of the security identifiers (SID) is S-1-5-18
which is associated with a service account used by the OS (Microsoft, 2013). A random check of
another identified SID was S-1-0-0 which is associated with a “nobody” group (Microsoft,
2013). The SID will also display when an approved user of a system has logged in or it can be
used to help identify a hacker has logged in using elevated privileges. Event ID 4624 can be
hacked using an authentication bypass allowing a perpetrator the ability to hide their presence by
appearing as a “system” logon (clymb3r, 2013). Cisco defines an authentication bypass under
Ramifications of Successful SQL Injection Attacks, as an attack that “allows an attacker to log on
to an application, potentially with administrative privileges, without supplying a valid username
and password” (Cisco, 2013). Further research in SQL Injections that allow hackers to access
data from networked servers would help the digital forensic community to know what to look for
when responding to an organization.
WINSNORT made use of Blacklists and Whitelists to find any changes in the System,
Security and Application event logs. These Blacklists and Whitelists were pulled from
WINSNORT. It is possible that the research would have made a better use of the WINSNORT
tool if a custom list was created. Another means of educating the forensic investigator would be
to examine how a custom list is created and then used in a digital forensic exam.
This research analyzed Microsoft Windows event logs for artifacts in an investigation. It
also examined how the investigators can use the event logs in an investigation. One of the
approaches to the various breaches that were used in this research was to install viruses and
examine the event logs for changes made after installation. Best practices were utilized and
52
explained for detecting, collecting, and analyzing Windows event logs. The open source IDS
tool, WINSNORT, was used to identify the Event IDs pertaining to breaches by using a whitelist
and a blacklist. Event IDs were examined by number and researched to help determine what
events should be further examined when a defendant claims that a virus is responsible for a
criminal act. Event IDs are often overlooked due to lack of training and understanding. The work
of this research provides an initial knowledge base by identifying factors that trigger virus related
Event IDs, adding to the body of research on this crucial topic in today's malware rich computer
environments. Future recommendations were compiled to suggest further research that should be
conducted and to clearly define the limits and difficulties encountered during this research.
Contributing to the body of research relating to Event IDs allows future analysts a resource to
capitalize on this potential goldmine of evidence that is so often overlooked.
53
Appendix
Event
ID
Description
Event Log
1000
Application Error
Application
1002
Application Hang
Application
1000
BSOD, WER
System
1001
Informational and BSOD
System
1
EMET Warning
Application
2
EMET Error
Application
1003
BSOD
Application
1004
Application Error
Application
4097
WER Informational
Application
7000
Windows Service Fails or Crashes
System
7001
Windows Service Fails or Crashes
System
7022
Windows Service Fails or Crashes
System
7023
Windows Service Fails or Crashes
System
7024
Windows Service Fails or Crashes
System
7026
Windows Service Fails or Crashes
System
7031
Windows Service Fails or Crashes
System
7032
Windows Service Fails or Crashes
System
7034
Windows Service Fails or Crashes
25
Windows Update Failed
System
Microsoft-WindowsWindowsUpdateClient/Operational
31
Windows Update Failed
Microsoft-WindowsWindowsUpdateClient/Operational
Hotpatching Failed
Setup
DCOM Invalid Permission
System
Windows Service Fails or Crashes
System
Windows Update Failed
System
11708
MSI Installation Failed
Application
11923
MSI Installation Failed
Application
10016
DCOM Invalid Permission
System
Microsoft-Windows-Firewall with
Advanced Security/Firewall
Microsoft-Windows-Firewall with
Advanced Security/Firewall
Microsoft-Windows-Firewall with
Advanced Security/Firewall
1009
10016
7034
20
2004
Firewall Rule Add
2005
Firewall Rule Change
2006
Firewall Rules Deleted
2033
Firewall Rules Deleted
2009
Firewall Failed to load Group Policy
Microsoft-Windows-Firewall with
Advanced Security/Firewall
Microsoft-Windows-Firewall with
Advanced Security/Firewall
54
55
References
Allinson, C. (2001). Information Systems Audit Trails in Legal Proceedings as Evidence.
Computers & Security Vol. 20, No.5, pp. 409-421.
Amari, K. (2009, March 26). Techniques and Tools for Recovering and Analyzing Data from
Volatile Memory. Retrieved September 2, 2013, from SANS.org: http://computerforensics.sans.org/community/papers/gcfa/techniques-tools-recovering-analyzing-datavolatile-memory_3609
Anderson, J. (1972). Computer Security Technology Planning Study. Fort Washington: James P.
Anderson Company. Retrieved October 6, 2013, from
http://seclab.cs.ucdavis.edu/projects/history/papers/ande72a.pdf
Anderson, J. (1980). Computer Security Threat Monitoring and Surveillance (Vol. 17). Fort
Washington: James P. Anderson Company. Retrieved October 6, 2013, from
http://seclab.cs.ucdavis.edu/projects/history/seminal.html
Anson, S., & Bunting, S. (2007). Mastering Windows Network Forensics and Investigations.
Indianapolis: Wiley Publishing, Inc.
Anthony, R. (2013, June 19). Detecting Security Incidents Windows Workstation Event Logs.
Retrieved from Sans.org: http://www.sans.org/readingroom/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs34262
Avast. (2013, November 4). Avast 2014. Retrieved from Avast.com: http://www.avast.com/enus/lp-ppc-paid-01?cha=ppc&sen=google&ste=avast&var=28794671656&omcid=ENUS_Search_Brand&gclid=COqXg93by7oCFSdp7AodbQQAMg
56
Bem, D., Feld, F., Huebner, E., & Bem, O. (2008). Computer Forensics - Past, Present and
Future. Journal of Information Science and Technology, 43-59.
Brown, C. L. (2006). Computer Evidence Collection and Preservation. Hingham: Charles River
Media, Inc.
Byrne, Z., Howe, A., Ray, I., Roberts, M., & Urbanska, M. (2012). The Psychology of Security
for the Home Computer User. 2012 IEEE Symposium on Security and Privacy, 210-223.
Carrier B., G. J. (2004). A Hardware-Based Memory Acquisiion Procedure for Digital
Investigations. Journal of Digital Investigations, 57-59.
Carrier, B. (2003). Defining Digital Forensic Examination and Analysis Tools Using Abstraction
Layers. International Journal of Digital Evidence, Winter 2003, Volume 1, Issue 4, 1-12.
Carvey, H. (2009). Windows Forensic Analysis. Burlington: Syngress Publishing, Inc.
CBS News. (2010, February 23). 11 Indicted In Largest ID Theft Case Ever. Retrieved from
CBSNews.com: http://www.cbsnews.com/8301-205_162-4323211.html
Christian, L., Mitchell, A., & Rosenstiel, T. (2012). The State of the News Media 2012.
Washington DC: Pew Research Center. Retrieved September 10, 2013, from
http://stateofthemedia.org/files/2012/03/PEJ-Mobile-Devices-and-News-Topline.pdf
Cisco. (2005, Feb 17). IPS Signatures. Retrieved from tools.cisco.com:
http://tools.cisco.com/security/center/mviewIpsSignature.x?signatureId=3135&signature
SubId=6&softwareVersion=5.1&releaseVersion=S145
Cloppert, M. (2009, July 22). Security Intelligence: Introduction (pt 1). Retrieved from Sans.org:
http://computer-forensics.sans.org/blog/2009/07/22/security-intelligence-introduction-pt1
57
clymb3r. (2013, November 17). Injecting Logon Credentials with Powershell. Retrieved from
Wordpress.com: http://clymb3r.wordpress.com/
Conly, C. (1989, July). Organizing for Computer Crime Investigation and Prosecution. Issues
and Practices in Criminal Justice, pp. 1-121.
Conz, N. (2009, December 10). Microsoft and Temenos Partner on Core Banking. Retrieved
from Banktech.com: http://www.banktech.com/core-systems/microsoft-and-temenospartner-on-core-ba/222001538
Cummings, R. (2008, November-December). Computer Forensics Detecting, Analyzing, and
Reporting on Evidentiary Artifacts Found in Computer Physical Memory. Evidence
Technology Magazine, Volume 6, p. Number 6. Retrieved from Technology Magazine.
Department of Justice. (2008, August 5). Retail Hacking Ring Charged for Stealing and
Distributing Credit and Debit Card Numbers from Major U.S. Retailers. Retrieved from
Justice.gov: http://www.justice.gov/opa/pr/2008/August/08-ag-689.html
Depatment of Justice. (2008, May 12). Hackers Indicted for Stealing Credit and Debit Card
Numbers from National Restaurant Chain. Retrieved from Justice.gov:
http://www.justice.gov/opa/pr/2008/May/08-crm-403.html
Division of Homeland Security and Emergency Services. (2013, October 8). Title 18. Crimes
and Criminal Procedure, Section 1029. Retrieved from Division of Homeland Security
and Emergency Services, New York: http://www.dhses.ny.gov/laws-policies/uslaw.cfm
Downloadviruss. (2012, May 11). Download Virus Email Worm x32 MyDoom. Retrieved from
Downloadviruss.Wordpress.com:
http://downloadviruss.wordpress.com/2012/05/11/download-virus-email-worm-win32mydoom-aa/
58
Efaw, K. (2013, November 2). Installing Snort 2.8.6.1 onWindows 7. Retrieved from Snort.org:
http://www.snort.org/assets/151/Installing_Snort_2.8.6.1_on_Windows_7.pdf
Endicott-Popovsky, B. F. (2007). A Theoretical Framework for Organizational Network Forensic
Readiness. Journal of Computers, VOL. 2, NO. 3, MAY, 1-11.
Endler, M. (2013, August 27). Windows 8.1 Released To Manufacturers. Retrieved August 28,
2013, from InformationWeek.com:
http://www.informationweek.com/software/windows8/windows-81-released-tomanufacturers/240160483?cid=NL_IWK_Daily_240160483&elq=a1be6fd88a6d428e906
810103aaa000c
Feeley, J., & Van Voris, B. (2010, March 25). Hacker Gets 20 Years in Largest Identity-Theft
Case (Update2). Retrieved from Bloomberg.com:
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aCDo3co5A0Zk
Fitzgibon, N., & Wood, M. (2009, April 1). Conficker C, A Technical Analysis. Retrieved from
Sophos.com:
http://www.sophos.com/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf
F-Secure. (2013, October 20). Worm:W32/Fizzer. Retrieved from F-Secure.com: http://www.fsecure.com/v-descs/fizzer.shtml
F-Secure. (2013, October 20). Worm:W32/Mydoom. Retrieved from F-Secure.com:
http://www.f-secure.com/v-descs/novarg.shtml
Garner, G., & Mora, R. (2005, August 1). DFRWS 2005 Forensic Challenge. Retrieved from
dfrws.org: http://www.dfrws.org/2005/challenge/
GMG Systems Inc. (2007). KnTTools with KnTList. Retrieved from GMG Systems, INC:
http://www.gmgsystemsinc.com/knttools/
59
Goodin, D. (2012, November 29). Tor operator charged for child porn transmitted over his
servers. Retrieved from arstechnica.com: http://arstechnica.com/tech-policy/2012/11/toroperator-charged-for-child-porn-transmitted-over-his-servers/
Greenberg, Adam. (2013, September 11). Housing Wait List Posted Online Contained Personal
Data. Retrieved from SC Magazine.com: http://www.scmagazine.com/housing-wait-listposted-online-contained-personal-data/article/311253/
Grimes, R. A. (2012, October 16). 5 Signs You've Been Hit with an Advance Persistent Threat.
Retrieved from Infoworld.com: http://www.infoworld.com/d/security/5-signs-youvebeen-hit-advanced-persistent-threat-204941
Hachman, Mark. (2013, July 1). Windows 8 finally passes Vista in OS market share. Retrieved
from PCWorld.com: http://www.pcworld.com/article/2043390/windows-8-finally-passesvista-in-os-market-share.html
Harris, S., Harper, A., Eagle, C., & Ness, J. (2008). Gray Hat Hacking: The Ethical Hacker's
Handbook, Second Edition. United States of America: McGraw-Hill.
IRC Help. (2013, November 18). IRCHelp. Retrieved from irchelp.org: http://www.irchelp.org/
ISACA. (2010). IT Audit Assurance Guidance. Rolling Meadows: ISACA.org.
ISACA. (2013, October 17). ISACA. Retrieved from ISACA.org:
https://www.isaca.org/Pages/default.aspx
Janssen, Cory. (2013, September 3). Network Forensics Definition. Retrieved from
Techopedia.com: http://www.techopedia.com/definition/16122/network-forensics
Jordan, T. T. (1998). A Sociology of Hackers. A Sociological Review, 757-780.
Kaspersky. (2003, May 12). Fizzer - A Multi-threat Worm That Attacks Via E-mail and KaZaA.
Retrieved from Kaspersky.com: http://www.kaspersky.com/news.html?id=977151
60
Kaspersky. (2012, December 10). Kaspersky Security Bulletin 2012. The overall statistics for
2012. Retrieved from Securelist.com:
http://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_T
he_overall_statistics_for_2012#9
Kaspersky. (2012). Kaspersky Security Bulletin 2012. The overall statistics for 2012. Moscow:
Kaspersky.
Kirsch, C. (2013, September 26). How to Set up a Penetration Testing Lab. Retrieved from
Rapid7.com: https://community.rapid7.com/docs/DOC-2196
Krebs, B. (2010, September 28). Fake LinkedIn Invites Leads to Zeus Trojan. Retrieved from
krebsonsecurity: http://krebsonsecurity.com/2010/09/fake-linkedin-invite-leads-to-zeustrojan/
Krebs, B. (2013, November 1). How to Avoid Cryptolocker Ransomware. Retrieved from Krebs
On Security: http://krebsonsecurity.com/
Krisher, T. (2013, September 3). Associated Press - Hackers find weaknesses in Car Computers.
Retrieved from News, MSN.com, Science and Technology: http://news.msn.com/sciencetechnology/hackers-find-weaknesses-in-car-computer-systems
Lambert, P. (2013, June 28). Everything you need to know about using TOR. Retrieved from
TechRepublic: http://www.techrepublic.com/blog/it-security/everything-you-need-toknow-about-using-tor/
Lambert, Patrick. (2012, December 4). The Basics of Using a Proxy Server for Privacy and
Security. Retrieved from Techrepublic.com: http://www.techrepublic.com/blog/itsecurity/the-basics-of-using-a-proxy-server-for-privacy-and-security/
61
Levinson, M. (2012, February 13). Six Ways to Prevent Drive-by Download Malware Attacks.
Retrieved from TechWorld.com: http://features.techworld.com/security/3336877/sixways-to-prevent-drive-by-download-malware-attacks/
Linksys. (2013, November 2). High Performance Wireless-N Router (E3000). Retrieved from
Support.Linksys.com: http://support.linksys.com/en-us/support/routers/E3000
List, M. D. (2013, October 24). Malware Domain List. Retrieved from malwaredomainlist.com:
http://www.malwaredomainlist.com/mdl.php
Liu, Y. (2003, May 8). W32.HLLW.Fizzer@mm. Retrieved from Symantec.com:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-050821-031699&tabid=2
Mandiant. (2013, February 18). APT1, Exposing One of China's Cyber Espionage Units.
Retrieved from Mandiant.com:
http://intelreport.mandiant.com/?gclid=CMDgqojKw7kCFeHm7AodDBwAeg
McAfee. (2013, November 4). Safe is a Privilege, Not a Right. Retrieved from McAfee.com:
http://www.mcafee.com/us/
Menga, R. (2008, June 27). Why Use Windows? Retrieved from PCMech:
http://www.pcmech.com/article/why-use-windows/
Microsoft. (2007, August 15). Downloading Internet Explorer for a different operating system.
Retrieved from Support.Microsoft.com: http://support.microsoft.com/kb/174680
Microsoft. (2012, November 8). Net TCP/IP Cmdlets in Windows PowerShell. Retrieved from
technet.microsoft.com: http://technet.microsoft.com/en-us/library/hh826123.aspx
62
Microsoft. (2013, September 13). A History of WIndows, Hightlights From the First 25 Years.
Retrieved from Windows Microsoft.com: http://windows.microsoft.com/enus/windows/history
Microsoft. (2013, November 11). All the Application event logs are unexpectedly deleted when
you clear the MSDSS. Retrieved from Support.Microsoft.com:
http://support.microsoft.com/kb/906516
Microsoft. (2013, November 11). Audit Audit Policy Change. Retrieved from Technet.Microsoft:
http://technet.microsoft.com/en-us/library/dd772736(v=ws.10).aspx
Microsoft. (2013, November 21). Event ID 5148 — IIS Protocol Adapter Availability. Retrieved
from Technet.Microsoft.com: http://technet.microsoft.com/enus/library/dd349271(v=WS.10).aspx
Microsoft. (2013, October 16). Event Log. Retrieved from Technet.Microsoft.com:
http://technet.microsoft.com/en-us/library/cc722385(v=ws.10).aspx
Microsoft. (2013, September 21). Memory Limits for Windows Releases. Retrieved from
msdn.microsoft.com: http://msdn.microsoft.com/enus/library/windows/desktop/aa366778.aspx
Microsoft. (2013, October 28). Microsoft Windows User Profiles Service Event 1531. Retrieved
from Microsoft Technet:
http://social.technet.microsoft.com/wiki/contents/articles/12382.microsoft-windows-userprofiles-service-event-1531.aspx
Microsoft. (2013, November 25). Security Audit Events for Windows 7 and Windows Server
2008 R2. Retrieved from Microsoft.com: http://www.microsoft.com/enus/download/confirmation.aspx?id=21561
63
Microsoft. (2013, November 27). Security Audit Events for Windows 7 and Windows Server
2008 R2. Retrieved from Microsoft.com: http://www.microsoft.com/enus/download/details.aspx?id=21561
Microsoft. (2013, December 3). Well-known security identifiers in Windows operating systems.
Retrieved from Support.Microsoft.com: http://support.microsoft.com/kb/243330
Microsoft. (2013, November 13). What Is Deployment Image Servicing and Management?
Retrieved from Technet.Microsoft.com: http://technet.microsoft.com/enus/library/dd744566(v=ws.10).aspx
Microsoft. (2013, December 5). Windows Defender. Retrieved from Windows.Microsoft.com:
http://windows.microsoft.com/en-us/windows7/products/features/windows-defender
MIT. (2013, November 4). Software Patches & OS Updates. Retrieved from ist.mit.edu:
http://ist.mit.edu/security/patches
Moreno, J. (2013, November 14). Microsoft unveils state-of-the-art Cybercrime Center.
Retrieved from Komo News: http://www.komonews.com/news/business/Microsoftunveils-state-of-the-art-Cybercrime-Center-231995791.html
Murdock, S. (2013, July 30). Ronald Brown, Pedophile Puppeteer, Sentanced to 20 Years.
Retrieved from The Huffington Post: http://www.huffingtonpost.com/2013/07/30/ronaldbrown-child-porn_n_3676727.html
Narter, B., & Greer, S. (2012, March 27). Core Banking Solutions for Large Banks, A Global
Perspective. Retrieved from CELENT.com: http://www.celent.com/reports/core-bankingsolutions-midsize-and-large-banks-north-american-perspective-0
National Security Agency. (2013). Spotting the Adversary with Windows Event Log Monitoring.
Washington, D.C.: National Security Agency.
64
Nielsen Ratings. (2012, December 12). Nielsen Tops of 2012: Digital. Retrieved from
Nielsen.com: http://www.nielsen.com/us/en/newswire/2012/nielsen-tops-of-2012digital.html
Norton. (2013, October 20). Add Piece of Mind to your Business Plan. Retrieved from Norton:
https://buy.symantec.com/estore/clp/home
Operating System.org. (2013, August 21). List of Operating Systems. Retrieved September 2,
2013, from Operating System.org: http://www.operatingsystem.org/betriebssystem/_english/os-liste.htm
PaperCut. (2013, August 7). Knowledge Base. Retrieved from papercut.com:
http://www.papercut.com/kb/Main/HowToFilterTheWindowsEventLogByIPAddress
PC Magazine. (2013, December 5). Blacklist. Retrieved from PCMag.com:
http://www.pcmag.com/encyclopedia/term/38741/blacklist
PC Magazine. (2013, December 5). Encyclopedia. Retrieved from Pcmag.com:
http://www.pcmag.com/encyclopedia/term/54441/whitelist
PC Magazine. (2013, November 25). Encylopedia. Retrieved from PCMag.com:
http://www.pcmag.com/encyclopedia/term/49892/proxy-server
PCMagazine. (2013, September 10). Encyclopedia. Retrieved from PCMag.com:
http://www.pcmag.com/encyclopedia/term/49892/proxy-server
Phrack. (2002, July 28). Handling the Interrupt Descriptor Table. Retrieved from Phrack.org:
http://www.phrack.org/issues.html?issue=59&id=4
PostgreSQL. (2013, November 10). Createdb. Retrieved from PostgreSQL.org:
http://www.postgresql.org/docs/current/static/app-createdb.html
65
Project, T. (2013, November 2). Sponsors. Retrieved from Tor Project.org:
https://www.torproject.org/about/sponsors.html.en
Project, T. (2013, November 2). Tor Project Download. Retrieved from torproject.org:
https://www.torproject.org/download/download-easy.html.en
Project, T. (2013, November 2). Tor Project: Overview. Retrieved from torproject.org:
https://www.torproject.org/about/overview.html.en
Quist, D., & Smith, V. (2013). Detecting the Presence of Virtual Machines Using the Local Data
Table. Atlanta: Offensive Computing.
Rouse, M. (2013, May). Definition distributed denial-of-service attack (DDoS). Retrieved from
Search Security: http://searchsecurity.techtarget.com/definition/distributed-denial-ofservice-attack
Safer Networking. (2013, November 4). Spybot, Search and Destroy. Retrieved from Safer
Networking.org: http://www.safer-networking.org/
SANS Institute. (2013, December 4). Intrusion Discovery Cheat Sheet. Retrieved from Sans.org:
http://www.sans.org/score/checklists/ID_Windows.pdf
Schwartz, M. J. (2013, September 3). Energy Department Updates Breach Count, Says 53,000
Affected. Retrieved from InformationWeek Security:
http://www.informationweek.com/security/attacks/energy-department-updates-breachcounts/240160706?cid=NL_IWK_Daily_240160706&elq=8a67bbcc11e842b5bac6f1c36316f1
24
Smith, Randy F. (2013, September 19). Windows Security Log Event ID 4624. Retrieved from
Ultimatewindowssecurity.com:
66
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=
4624
Snort. (2013, October 20). Snort . Retrieved from Snort.org: http://www.snort.org/
Soong, Jennifer. (2008, June 6). When Addiction Takes Over Your Life. Retrieved from
WebMD.com: http://www.webmd.com/mental-health/features/when-technologyaddiction-takes-over-your-life
Steel, C. (2006). Windows Forensics: The Field Guide for Conducting Corporate Computer
Investigations. Indianapolis: Wiley Publishing, INC.
Steele, M. E. (2013, November 6). Winsnort. Retrieved from Winsnort.com:
http://www.winsnort.com/index.php?module=Pages&func=display&pageid=49
Stuttard, D. P. (2008). The Web Application Hackers Handbook. Indianapolis: Wiley Publishing,
Inc.
Technology, N. I. (2001, November 26). Federal Information Processing Standards 197.
Retrieved from NIST.gov: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Techopedia. (2013, September 21). Script Kiddie. Retrieved from Techopecia.com:
http://www.techopedia.com/definition/4090/script-kiddie
Techsoup. (2013, November 18). Networking and Security. Retrieved from
Techsoupforlibraries.org: http://www.techsoupforlibraries.org/book/export/html/592
Techterms. (2013, November 3). Denial of Service Definition. Retrieved from Techterms.com:
http://www.techterms.com/definition/denial_of_service
Techterms. (2013, November 2). Network Address Translation. Retrieved from Techterms.com:
http://www.techterms.com/definition/nat
67
Tulloch, M. (2012, December 19). Enabling event logging for Internet Explorer. Retrieved from
WindowsNetworking.com:
http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/Miscel
laneous/EnablingeventloggingforInternetExplorer.html
U.S. Department of Justice, O. o. (2004). Forensic Examination of Digital Evidence: A Guide for
Law Enforcement. Washington, D.C.: National Institute of Standards and Technology.
United States Army. (2009, March 23). Army Regulation 25-2, Information Assurance. Retrieved
from APD.Army.mil: http://www.apd.army.mil/pdffiles/r25_2.pdf
United States v. Milton Scott Pruitt, 10-10829 (United States Court of Appeals for the Eleventh
Circuit April 213, 2011).
VMware. (2013, November 2). VMware Workstation. Retrieved from VMware.com:
http://www.vmware.com/products/workstation/
W3Schools.com. (2013, July). OS Platform Statistics. Retrieved September 2, 2013, from
W3Schools.com: http://www.w3schools.com/browsers/browsers_os.asp
Wash, R. (2010). Folk Models of home Computer Security. SOUPS '10 (p. Article No. 11). New
York: ACM New York.
Weinberger, S. (2012, March 20). Top Ten Most-Destructive Computer Viruses. Retrieved from
Smithsonian.com: http://www.smithsonianmag.com/science-nature/Top-Ten-MostDestructive-Computer-Viruses.html?c=y&page=2
Wireless Broadband Alliance. (2011). Global Developments in Public WiFi. Tampa: Informat
Telecoms and Media.
Works, T. (2012). Windows Event Log Viewer (evtx_view). Retrieved from TZ Works.net:
https://tzworks.net/prototype_page.php?proto_id=4
68
Xinuos. (2013, November 18). Xinuos. Retrieved from Xinuos.com: http://www.xinuos.com/
69
Related documents
Reading rewards
Reading rewards
8.6 Natural Log notes
8.6 Natural Log notes
Chapter 1Computer Concept
Chapter 1Computer Concept
SNORT
SNORT
Sample Cover Page
Sample Cover Page
Download