The project has been funded by the European Commission. The Education, Audiovisual and Culture Executive program (EACEA), TEMPUS IV. The content of this presentation reflects the opinion of the author.
Windows Artefacts
Developers:
C.Yesil
Artifacts of Forensic Interest
•Windows Eventlogs
•User Profiles
•Application Data
•Registry
•Restore Points (RP)
•Volume Shadow Copies (VSS)
Windows Eventlogs
•Most OS are using Logfiles
•In Windows they are called „Event Logs“
•Implementend since Windows 3.1
•Could used to detect
•Network-Intrusion, Malware attacts, Detect Artefacts behavior or to detect cybercrime behaviors on the system
•Till Windows Vista they are called „Windows Event Logs“
•Hugh amount of data is generated
it is like looking for a needle in a haystack.
Hugh amount of data is generated
Windows Eventlogs
Since Windows 3.1 they are excisting 3 kinds of Event Logs:
•Application Logs – Appevent.evt (switched on by default)Event Logs from applications
•System Logs – Sysevent.evt (switched on by default)
System Logs records system relevant events eg. (wrong loaded drivers and so on)
•Security Logs – Secevent.evt (switched off by default in XP) (switched on by default in Vista/7)
allowed or unallowed Logins
Events in relation to OS ressources ( eg. If some guidelines are changed for example Login records are switched off)
Windows Eventlogs
In Windows Vista and Windows 7 are some Logs included:
•Application Logs |
– Application.evtx |
•Hardware Events Logs |
– HardwareEvents.evtx |
•Security Logs |
– Security.evtx |
•Setup Logs |
– Setup.evtx |
•System Logs |
– System.evtx |
•Applications and Services Logs |
– eg. Internet Explorer.evtx |
•Forwarded Event Logs |
– collection of remote computers |
•Admin, Operational, Analytic, Debug Events
The event log contains the following standard logs as well as custom logs:
Log |
Description |
|
Application |
Contains events logged by applications. For example, a database application |
|
might record a file error. The application developer decides which events to |
||
|
record. |
|
|
Contains events such as valid and invalid logon attempts, as well as events |
|
Security |
related to resource use such as creating, opening, or deleting files or other |
|
objects. An administrator can start auditing to record events in the security |
||
|
||
|
log. |
|
System |
Contains events logged by system components, such as the failure of a |
|
driver or other system component to load during startup. |
||
|
||
CustomLog |
Contains events logged by applications that create a custom log. Using a |
|
custom log enables an application to control the size of the log or attach |
||
|
ACLs for security purposes without affecting other applications. |
The event logging service uses the information stored in the Eventlog registry key. The Eventlog key contains several subkeys, called logs. Each log contains information that the event logging service uses to locate resources when an application writes to and reads from the event log.
event logs in windows
Getting windows log through by windows tools
Win+R
or
eventvwr.msc
event logs in windows
easy example
If you suspect that someone from the office is logging in under your account, or you have lost confidential information (passwords, photos, etc.)
After launching the Computer Management application, we need to select the Event Viewer-> Windows Logs-> System section.
And here on the right side of the application we are looking for a line with the Source "Kernel General", it is she who is responsible for starting and shutting down the computer. If you click on this line twice, we can see the details of the event.