File AnalysisChapter 5 – Harlan Carvey

Event Logs

File Metadata

Event LogsLogging Events

• Events

• Logging Events

• Event Log Format

• Event Record Structure

• Various Logs

Usual Event Logs

• Application• Log of application errors, warnings and information

• Security• Dropped Packets, Successful Connections

• Logon/Logoffs

• System• Various device events

Registry References - XP

Windows 7

Location of logs

Event Log Location - XP

Event Log LocationVista, Win7

• C:Windows->System32->winevt->Logs

Location of Event Logs

App & System Logging

• On by default

• Log size is 512 KB by default

• Written by the application

Security Logging - XP

• Not on by default• Log size is 512 KB by default• Control Panel Admin tools -> Local Security Policy

Security LoggingWindows 7

Log Viewer

• Event Viewer• Control Panel -> Administrative Tools -> Event

Viewer

• Application, Security and System logs available

• Event Properties• DTG of the event

• Important for some timelines

App Log

System Log

Security LogSuccess

Security LogFailure

Windows 7

Event Viewer

• Convenient and pretty

• Works only on live systems

• Does not work on a forensics image

• We have to parse the event logs

Event Logs

• Binary Structure

• Header and a series of records

• Event ID formats• http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

event.aspx?eventid=528

• Application logs are vendor specific• EventID.net is a good source for this info - $$$

• blogs.msdn.com/ericfiz/default.aspx

• www.microsoft.com/technet/support/ee/ee_advanced.aspx

Event Log ConfigurationXP

• Held in registry keys

Windows 7

Registry Viewer

• Event message

Event Log File FormatXP only

• Event Log Header – 12 DWORD values

• Event Records – Variable length

• Windows 7 & Vista• http://www.dfrws.org/2007/proceedings/p65-schuster.pdf

• http://computer.forensikblog.de/files/talks/SANS_Summit_Vista_Event_Log.pdf

Offset Size Description

0 4 bytes Size of the record (Header = 0x30, Event = 0xF4)

4 4 bytes Magic number 0x4C 66 4C 65 = LfLe

16 4 bytes Offset within the .evt file of the oldest event record

20 4 bytes Offset within the .evt file of the next event record to be written

24 4 bytes ID of the next event record

28 4 bytes ID of the oldest event record

32 4 bytes Maximum size of the .evt file (from the registry)

40 4 bytes Retention time of event records (from the registry)

44 4 bytes Size of the record (repeat of the first DWORD)

Event Log Header Structure

Offset Size Description

0 4 bytes Size of the record (Header = 0x30, Event = 0xF4)

4 4 bytes Magic number 0x4C 66 4C 65 = LfLe

8 4 bytes Record Number

12 4 bytes Time Generated

16 4 bytes Time written

20 4 bytes Event ID – Locates message file/dll/exe

24 2 bytes Event type (0x01 = error, 0x10 = Failure, 0x08 – Success, 0x04 = Info, 0x02 = Warning

26 2 bytes Number of strings

28 2 bytes Event category

30 2 bytes Reserved flags

32 4 bytes Closing record number

36 4 bytes String offset

40 4 bytes Length of user SSID

44 4 bytes Offset to the user SID within this event record

48 4 bytes Data length; length of the binary data associated with this event record

52 4 bytes Offset to data

Event Record Structure

Carvey’s Help

• Best not to depend on the Window’s API to read the Event files

• They can be corrupted

• May miss the next to be over written

• Provides summary stats

• Provides output readable in Excel

evtstats.exe

Lots of events

lsevt.exe

Entry for each of the 2464 Event Records

lsevt2.exe

Entry for each of the 2464 Event RecordsPuts it into an Excel readable format

lsevt –f event_file –c > save_file.csv

Excel – Open .csv file

Change Format

Choose Delimited

Identify Separators

Harlan’s stuff is separated by semicolons.

With Perl knowledge you could change it.

Excel Manipulatible

Information

Other Logs

• IE Browsing History

• Set Up

• XP Firewall

• Recycle Bin

• Shortcut Files

IE Browsing History

• Index.dat files

• DiscoverPro

• NetAnalysis

• Index dat spy

• SuperWinSpy

• Be careful !!!

NetAnalysis

Set Up Logs

• Setuplog.txt

• Setupact.log

• SetupAPI.log

• Netsetup.log

Setuplog.txtC:\WINDOWS

Setupact.log C:\WINDOWS

SetupAPI.log C:\WINDOWS

NetSetup.logc:\Winodws\Debug

Task Scheduler LogSchedLgU.txt

Enabling Firewall Logging

• Control Panel -> Security Center -> Windows Firewall -> Advanced

• Follow your nose

Firewall Log

• C:\WINDOWS\pfirewall.log

Recycle Bin

• C:\RECYCLER• Each user gets his own folder

• Use the user’s SID

• Each has its own INFO2 file

Recycle Bin

recbin.exe

INFO2 File Structure

• Header• 16 bytes

• Final 4 bytes (DWORD) is the size of each record0x320 (little endian) = 800 bytes

• Records• Record # at offset 264 within the record

• Drive designator at offset 2682 = C:\, 3=D:\, etc

• File size in clusters at offset 280

Open INFO2 in WinHex

• Very hard• File -> Open

• Navigate to C:\RECYCLER• Open it• Select a SID file• Open it. It may say you don’t have privileges• Type \INFO2• Try again!• Maybe

INFO2 Record Size

Record size0x00320 = 80010

Drive indicator0x0002

Size in clusters0x0001

File MetadataMAC Times

OS - OS Action From To Create time Modification time

FAT to FAT Copy C:\ C:\ Updated Unchanged

FAT to FAT Move C:\ C:\ Unchanged Unchanged

FAT to NTFS Copy Updated Unchanged

FAT to NTFS Move Unchanged Unchanged

NTFS to NTFS Copy C:\ C:\ Updated Unchanged

NTFS to NTFS Move C:\ C:\ Unchanged Unchanged

Word Documents

• Document location

• Statistics

• Magic number

• Version and Language

• Last 10 authors

• MACPS timesModified, accessed, created, printed, saved

MeargeStreams

• Insert a spreadsheet into a word document

• Call it .doc – you see the Word document

• Call it .xls – you see the spreadsheet

• All sorts of uses• Smuggling out forecasts

• Sharing pictures on the corporate server

PDF Files

• Similar metadata as Word docs.• Easily accessed• File -> Properties

Image Filesexif Data

Original Photo off of the camera

After Photoshop manipulation

Tw

eet M

etad

ata

ADS – Alternative Data Streams

• Native to NTFS

• Permits data file to contain scripts, or executable code

• No NT native tools to detect them

• Native tools to create and launch them