Firewall Win 7
•Control Panel --> All Control Panel Items --> Windows Firewall, e.g. shows allowed programs
•Standardpath for Logfile:
•C:\Windows\system32\LogFiles\Firewall\
pfirewall.log
Windows Eventlogs
•Most OS are using Logfiles
•In Windows they are called „Event Logs“
•Implementend since Windows 3.1
•Could used to detect
•Network-Intrusion, Malware attacts, Detect Artefacts behavior or to detect cybercrime behaviors on the system
•Till Windows Vista they are called „Windows Event Logs“
•Hugh amount of data is generated
it is like looking for a needle in a haystack.
Windows Eventlogs
Since Windows 3.1 they are excisting 3 kinds of Event Logs:
•Application Logs – Appevent.evt (switched on by default)Event Logs from applications
•System Logs – Sysevent.evt (switched on by default)
System Logs records system relevant events eg. (wrong loaded drivers and so on)
•Security Logs – Secevent.evt (switched off by default in XP) (switched on by default in Vista/7)
allowed or unallowed Logins
Events in relation to OS ressources ( eg. If some guidelines are changed for example Login records are switched off)
Windows Eventlogs
In Windows Vista and Windows 7 are some Logs included:
•Application Logs |
– Application.evtx |
•Hardware Events Logs |
– HardwareEvents.evtx |
•Security Logs |
– Security.evtx |
•Setup Logs |
– Setup.evtx |
•System Logs |
– System.evtx |
•Applications and Services Logs |
– eg. Internet Explorer.evtx |
•Forwarded Event Logs |
– collection of remote computers |
•Admin, Operational, Analytic, Debug Events
Windows Eventlogs
•The group policy shows if the logging is activated
• Here you find if the logs are activated and you can change the setting of logging level ??
Windows Eventlogs
Event Logs are stored:
•*.evt - Windows NT 3.1 in Windows XP
•*.evtx - Windows Vista and Windows 7 Event Logs based on XML
Default location in Windows XP:
• %SystemRoot%\System32\config\*.evt
Default location in Windows Vista and Windows 7
• %SystemRoot%\System32\winevt\Logs\*.evtx
Locations can be changed in Registry :
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog (Win XP, Vista, Win 7)
Windows Eventlogs
Construction of Event Logs:
Protocolnamesource
Event-ID
User
Task category
Computer
and so on.
For more informations: http://msdn.microsoft.com/en-us/library/windows/desktop/ aa363646%28v=vs.85%29.aspx
Windows Eventlogs
Which kind of information are stored in these Eventlogs
Intrusion in the system (when and how)
Login and logoff timestamps
Update information
Software and Hardware installation
warning and Errors
Even the last SSID and IP-Adresses from the last Wifi connections are stored for a while (WLAN-AutoConfig)
Since Windows 7 the size of Logfiles are increasing.
Windows Eventlogs
Tools for watching and evaluating Eventlogs
eventvwr.exe (integrated in Windows)LogParser.exe (Parser from Microsoft)
http://www.microsoft.com/downloads/details.aspx?FamilyID=890CD06B-ABF8-4C25-91B2-F8 D975CF8C07
Evtx Parser (Vista and Windows 7)
http://computer.forensikblog.de/2009/12/evtx_parser_1_0_1.html
WindowsNT Event Log Viewer (showin g in readable format)
http://www.codeproject.com/KB/system/sysevent.aspx
GrokEVT (Windows NT/2K/XP/2K3, Phyton)
http://projects.sentinelchicken.org/grokevt/
Windows Eventlogs
Tools for analysing Eventlogs
LogParser Example
Unsucessfull Login and the username
LogParser "SELECT distinct SID, RESOLVE_SID(SID) as Username FROM Security WHERE EventID IN (529; 530; 531; 532; 533; 534; 535; 537; 539)“
Logins (Event ID 528) from the User “xy” and export
from the hits in hits.txt
LogParser "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO treffer.txt FROM Security WHERE EventID = 528 AND SID LIKE “xy‘’ -resolveSIDs:ON