How to recover event logs from a Windows memory image

Using Volatility and EVTXtract

Usually i use a different approach based on Windows version:

Windows XP and 2003 machines

Simply use the evtlogs plugin of Volatility:

The evtlogs command extracts and parses binary event logs from memory. Binary event logs are found on Windows XP and 2003 machines, therefore this plugin only works on these architectures.
These files are extracted from VAD of the services.exe process, parsed and dumped to a specified location.

$ python vol.py -f WinXPSP1x64.vmem --profile=WinXPSP2x64 evtlogs -D output
Volatility Foundation Volatility Framework 2.4
Parsed data sent to appevent.txt
Parsed data sent to secevent.txt
Parsed data sent to sysevent.txt

There is also an option (--save-evt) to dump raw event logs for parsing with external tools:

$ python vol.py -f WinXPSP1x64.vmem --profile=WinXPSP2x64 evtlogs
--save-evt -D output
Volatility Foundation Volatility Framework 2.4
Saved raw .evt file to appevent.evt
Parsed data sent to appevent.txt
Saved raw .evt file to secevent.evt
Parsed data sent to secevent.txt
Saved raw .evt file to sysevent.evt
Parsed data sent to sysevent.txt

Other Windows systems

You can use EVTXtract, a python script developed by Willi Ballenthin that recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images:

EVTX records are XML fragments encoded using a Microsoft-specific binary XML representation. Despite the convenient format, it is not easy to recover EVTX event log records from a corrupted file or unallocated space. This is because the complete representation of a record often depends on other records found nearby. The event log service recognizes similarities among records and refactors commonalities into “templates”. A template is a fixed structure with placeholders that reserve space for variable content. The on-disk event log record structure is a reference to a template, and a list of substitutions (the variable content the replaces a placeholder in a template). To decode a record into XML, the event log service resolves the template and replaces its placeholders with the entries of the substitution array. Therefore, template corruption renders many records unrecoverable within the local 64KB “chunk”. However, the substitution array for the remaining records may still be intact. If so, it may be possible to produce XML fragments that match the original records if the damaged template can be reconstructed. For many common events, such as process creation or account logon, empirical testing demonstrates the relevant templates remain mostly constant. In these cases, recovering event log records boils down to identifying appropriate templates found in other EVTX chunks.


Installation

Install EVTXtract using pip:

pip install evtxtract

Usage

./evtxtract    /path/to/evidence    >   /path/to/output.xml

More information and downloads

https://github.com/williballenthin/EVTXtract


Suggested readings

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Memory forensics provides cutting edge technology to help investigate digital attacks Memory forensics is the art of…www.amazon.it

Comments