Windows event logs in forensic analysis
On Windows systems, event logs contains a lot of useful information about the system and its users.
Depending on the logging level enabled and the version of Windows installed, event logs can provide investigators with details about applications, login timestamps for users and system events of interest.
According to the version of Windows installed on the system under investigation, the number and types of events will differ:
In fact, the events logged by a Windows XP machine may be incompatible with an event log analysis tool designed for Windows 8.
For example, Event ID 551 on a Windows XP machine refers to a logoff event; the Windows Vista/7/8 equivalent is Event ID 4647.
Windows XP events can be converted to Vista events by adding 4096 to the Event ID.
Windows versions since Vista include a number of new events that are not logged by Windows XP systems.
Windows Server editions have larger numbers and types of events.
Thus, the exact version of the Windows system must be considered very carefully when developing a digital forensic process centered on event logs
By default, a Windows system is set to log a limited number of events, but it can be modified to include actions such as file deletions and changes.
The default locations of Windows event logs are typically:
Windows 2000/Server2003/Windows XP:
\%SystemRoot%\System32\Config\*.evt
Windows Vista/7/Server2008:
\%SystemRoot%\System32\winevt\Logs\*.evtx
This can be changed by a user by modifying the File value of the following registry keys in HKEY LOCAL MACHINE (HKLM) on the local machine:
Application Events:
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application
Hardware Events:
HKLN\SYSTEM\CurrentControlSet\services\eventlog\HardwareEvents
Security Events:
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security
System Events:
HKLM\SYSTEM\CurrentControlSet\services\eventlog\System
When a custom path is used, a key is generated at the registry location:
HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Channels\[logname]
(e.g., Microsoft-Windows-Audio\CaptureMonitor)
Useful events for forensics analysis
| Event ID
(2000/XP/2003) |
Event ID
(Vista/7/8/2008/2012) |
Description | Log Name |
| 528 | 4624 | Successful Logon | Security |
| 529 | 4625 | Failed Login | Security |
| 680 | 4776 | Successful /Failed Account Authentication | Security |
| 624 | 4720 | A user account was created | Security |
| 636 | 4732 | A member was added to a security-enabled local group | Security |
| 632 | 4728 | A member was added to a security-enabled global group | Security |
| 2934 | 7030 | Service Creation Errors | System |
| 2944 | 7040 | The start type of the IPSEC Services service was changed from disabled to auto start. | System |
| 2949 | 7045 | Service Creation | System |
Logon Type Codes
One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type) but Windows display this information as a number and here is a list of the logon type and their explanation:
| Logon type | Logon title | Description |
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
Useful tools
Log Parser
Tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
https://www.microsoft.com/en-us/download/details.aspx?id=24659
python-evtx
Python parser for recent Windows Event Log files (.evtx).
python-evtx
EvtxParser
A parser framework for Microsoft Windows Vista event log files in their native binary (.evtx) format.
References