SYSTEM EVENTS LOGS

OVERVIEW

• Important in timeline reconstruction• Event logs and application logs chronicle what happened

when• Not always in human readable format• IOC if missing or inconsistent

WINDOWS EVENT LOGS

• Older versions in binary format• Proper name is just ‘Event Log’• See evtparse.pl and evtrpt.pl from Carvey• Categorized by type• System• Security• Application

WINDOWS EVENT LOGS (CONT.)

• Stored in %systemroot%\system32\config• 5 Types or levels • Error• Warning• Information• Success Audit• Failure Audit

WINDOWS EVENT LOGS (CONT.)

• Starting with Vista/Server 2008 logs written in XML (EVTX format)• Additional properties added (i.e. Process ID, Thread ID,

Processor ID, Session ID)• New Channels for Setup and ForwardedEvents• New Event Viewer for filtering & exporting

WINDOWS EVENT LOGS(CONT.)

• Logs can be purged, rolled over, deleted• For worst case, recovery involved searching unallocated

space• Old style windows binary entries are preceded with ‘LfLe’

magic number• Using Microsoft’s logparser to query• Use wevtutil to convert old to new

RECYCLE BIN

• Can be disabled by volume• See registry key HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\BitBucket• Files moved to the Recycle Bin are named in accordance with KB

136517• Index file INFO2 keeps track of original name• To extract data from INFO2 see recbin.pl• Vista changed name format of deleted files• Folder named as the SID of the deleting user

PREFETCH FILES

• Performance feature of Windows• Available metadata for run count, when launched, associated

DLLs• Parse directory with pref.pl• Also PFDump.exe

WINDOWS SCHEDULED TASKS

• Created via GUI or via API• Also at.exe or schtasks.exe (can schedule remotely)• On <2003 tasks are in C:\Windows\Tasks• Stored in binary format• Win7 jobs are in \Windows\System32\Tasks in XML format• When collecting data in Live Response, use at.exe and

schtasks.exe to see ALL jobs

JUMP LISTS

• New to Win7• Think ‘Recent Docs’• System keeps track of recently used files by application• Stored in the user’s profile under AppData\Roaming\

Microsoft\Windows\Recent\AutomaticDestinations• Information is also stored in binary format• Documented by Microsoft• Use MiTeC Structured Storage Viewer

HIBERNATION FILES

• Contain a memory dump of the running system• Volatility can be used to analyze data• Varied amount of valuable information can be stored. (i.e.

keys for encrypted volumes)

APPLICATION LOGS

• Numerous installed applications maintain their own logs• AV Logs, Skype, Apple software,• Usefulness depends on the goal of the investigation• AV Logs• Skype – view main.db with Skype Log View• Apple software – may produce backup images of devices• Image METAdata in EXIF format

SUMMARY

• Information useful to a case can be found in may locations• Pick the right log or logs for the job• The list of applications is certainly not exhaustive• New applications will have new logs