Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
15
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs
-
Upload
lorin-hubbard -
Category
Documents
-
view
229 -
download
3
Transcript of Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
Mastering Windows Network Forensics and Investigation
Chapter 12: Windows Event Logs
Chapter Topics:
• Event Log Storage
• Using Event Viewer
• Efficient Event Log Parsing
Event Log Storage
• Stored in proprietary, binary format
• Not editable/viewable with standard text editor
• Files end in .evt or .evtx depending on Operating System
Event Log Storage
• Windows 2000/XP: .evt
• Windows Vista +: .evtx
• Files such as:– System.evtx– Application.evtx – Security.evtx
Event Log Storage
• EVT format event Logs stored in:
%SystemRoot%\System32\config folder along with the registry hive files
• EVTX format event Logs stored in:
%SystemRoot%\System32\winevt\Logs folder
Event Log Storage
• Application Log – Written to by any application
• System Log – Stores events related to system operation and maintenance
• Security Log – Security related events• Many other log files can be found
from Windows Vista and beyond, but these are ones of primary importance
Event Viewer
• Microsoft provided tool for reading .evt/.evtx files
• GUI based• Menus are context sensitive,
changing based on part of Event Viewer that is in focus
• Layout is different between Windows XP and Vista+
Event Viewer – Windows XP
Event Viewer – Windows XP
• Double clicking on a log entry brings up its properties, revealing the detailed description
Event Viewer – Windows Vista+
Event Viewer – Windows Vista+
• Double clicking on a log entry brings up its properties, revealing the detailed description
Event Log Parsing
• Learning to efficiently parse event logs is vital
• Focus on Event IDs, the numbers given to particular events that indicate what is being recorded
• Use the Filter feature to focus your search, and use Find to search within the filtered results
Event Log Parsing
• Filter can reduce your view based on event type, Event ID, date and time range, etc.
• Find can search within the Description field and will search forward or backward for the next occurrence of a particular string
Event Log Parsing
• If your analysis system is connected to the Internet, the built in Help and Support Center link on the Properties page of each Event entry will provide additional information about most Event Log entries and their meaning.
Event Log Parsing
• There are many (better?) log parsers that are available for low/no cost
• If there is a large volume of logs to review consider tools such as Splunk for initial processing
