Windows event logs in forensic analysis

On Windows systems, event logs contains a lot of useful information about the system and its users.

Depending on the logging level enabled and the version of Windows installed, event logs can provide investigators with details about applications, login timestamps for users and system events of interest.

According to the version of Windows installed on the system under investigation, the number and types of events will differ:

In fact, the events logged by a Windows XP machine may be incompatible with an event log analysis tool designed for Windows 8.

For example, Event ID 551 on a Windows XP machine refers to a logoff event; the Windows Vista/7/8 equivalent is Event ID 4647.

Windows XP events can be converted to Vista events by adding 4096 to the Event ID.

Windows versions since Vista include a number of new events that are not logged by Windows XP systems.
Windows Server editions have larger numbers and types of events.

Thus, the exact version of the Windows system must be considered very carefully when developing a digital forensic process centered on event logs

By default, a Windows system is set to log a limited number of events, but it can be modified to include actions such as file deletions and changes.

The default locations of Windows event logs are typically:

Windows 2000/Server2003/Windows XP:

\%SystemRoot%\System32\Config\*.evt

Windows Vista/7/Server2008:

\%SystemRoot%\System32\winevt\Logs\*.evtx

This can be changed by a user by modifying the File value of the following registry keys in HKEY LOCAL MACHINE (HKLM) on the local machine:

Application Events:

HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application

Hardware Events:

HKLN\SYSTEM\CurrentControlSet\services\eventlog\HardwareEvents

Security Events:

HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security

System Events:

HKLM\SYSTEM\CurrentControlSet\services\eventlog\System

When a custom path is used, a key is generated at the registry location:

HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Channels\[logname]

(e.g., Microsoft-Windows-Audio\CaptureMonitor)


Useful events for forensics analysis

 

Event ID

(2000/XP/2003)

Event ID

(Vista/7/8/2008/2012)

Description Log Name
528 4624 Successful Logon Security
529 4625 Failed Login Security
680 4776 Successful /Failed Account Authentication Security
624 4720 A user account was created Security
636 4732 A member was added to a security-enabled local group Security
632 4728 A member was added to a security-enabled global group Security
2934 7030 Service Creation Errors System
2944 7040 The start type of the IPSEC Services service was changed from disabled to auto start. System
2949 7045 Service Creation System

 


Logon Type Codes

One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type) but Windows display this information as a number and here is a list of the logon type and their explanation:

Logon type Logon title Description
2 Interactive A user logged on to this computer.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

Useful tools

Log Parser
Tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
https://www.microsoft.com/en-us/download/details.aspx?id=24659

python-evtx
Python parser for recent Windows Event Log files (.evtx).
python-evtx

EvtxParser
A parser framework for Microsoft Windows Vista event log files in their native binary (.evtx) format.


 

Comments