system operating system shutdown time
system operating time
XML
Windows Eventlogs
•The group policy shows if the logging is activated
gpedit.msc
Group Local Policy Editor
• Here you find if the logs are activated and you can change the setting of logging level ??
Windows Eventlogs
Event Logs are stored:
•*.evt - Windows NT 3.1 in Windows XP
•*.evtx - Windows Vista and Windows 7 Event Logs based on XML
Default location in Windows XP:
• %SystemRoot%\System32\config\*.evt
Default location in Windows Vista and Windows 7
• %SystemRoot%\System32\winevt\Logs\*.evtx
Locations can be changed in Registry :
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog (Win XP, Vista, Win 7)
Windows Eventlogs
Construction of Event Logs:
Protocolnamesource
Event-ID
User
Task category
Computer
and so on.
For more informations: http://msdn.microsoft.com/en-us/library/windows/desktop/ aa363646%28v=vs.85%29.aspx
Windows Eventlogs
Which kind of information are stored in these Eventlogs
Intrusion in the system (when and how)
Login and logoff timestamps
Update information
Software and Hardware installation
warning and Errors
Even the last SSID and IP-Adresses from the last Wifi connections are stored for a while (WLAN-AutoConfig)
Since Windows 7 the size of Logfiles are increasing.
Windows Eventlogs
Tools for watching and evaluating Eventlogs
eventvwr.exe (integrated in Windows)
LogParser.exe (Parser from Microsoft)
http://www.microsoft.com/downloads/details.aspx?FamilyID=890CD06B-ABF8-4C25-91B2-F8 D975CF8C07
Evtx Parser (Vista and Windows 7)
http://computer.forensikblog.de/2009/12/evtx_parser_1_0_1.html
WindowsNT Event Log Viewer (showin g in readable format)
http://www.codeproject.com/KB/system/sysevent.aspx
GrokEVT (Windows NT/2K/XP/2K3,
http://projects.sentinelchicken.org/grokevt/
Event Log Explorer 
The event identifier. The value is specific to the event source for the event, and is used with source name to locate a description string in the message file for the event source.
There are five types of events that can be logged. All of these have well-defined common data and can optionally include event-specific data.
The application indicates the event type when it reports an event. Each event must be of a single type. The Event Viewer displays a different icon for each type in the list view of the event log.
The following table describes the five event types used in event logging.
Event type |
Description |
|
Error |
An event that indicates a significant problem such as loss of data or loss of functionality. |
|
For example, if a service fails to load during startup, an Error event is logged. |
||
|
||
|
An event that is not necessarily significant, but may indicate a possible future problem. |
|
Warning |
For example, when disk space is low, a Warning event is logged. If an application can |
|
recover from an event without loss of functionality or data, it can generally classify the |
||
|
||
|
event as a Warning event. |
|
|
An event that describes the successful operation of an application, driver, or service. For |
|
Information |
example, when a network driver loads successfully, it may be appropriate to log an |
|
Information event. Note that it is generally inappropriate for a desktop application to log |
||
|
an event each time it starts. |
Success Audit An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event.
Failure Audit An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.
Security Log
This is the main storage location for system security logs. This includes events for users to sign in / out, access to objects, changes in policies and other security related activities. Of course, if the appropriate policy is configured.
Search of users and groups (events 4798 and 4799). At the very beginning of an attack, malicious software often goes through local user accounts and local groups on a workstation to find credentials for its malicious actions. These events will help detect malicious code before it moves on and, using the collected data, spread to other systems.
Перебор пользователей и групп (события 4798 и 4799). Вредоносное ПО в самом начале атаки часто перебирает локальные учетные записи пользователей и локальные группы на рабочей станции, чтобы найти учетные данные для своих вредоносных действий. Эти события помогут обнаружить вредоносный код раньше, чем он двинется дальше и, используя собранные данные, распространится на другие системы.
Creating a local account and changes in local groups (events 4720, 4722–4726, 4738, 4740, 4767, 4780, 4781, 4794, 5376 and 5377). An attack can also begin, for example, by adding a new user to the local administrators group.
Создание локальной учётной записи и изменения в локальных группах (события 4720, 4722–4726, 4738, 4740, 4767, 4780, 4781, 4794, 5376 и 5377). Атака может также начинаться, например, с добавления нового пользователя в группу локальных администраторов.