Windows Forensics

What is audit trail?

• Computer forensics involves audit trail of systems investigated

​

• An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.

2

2

What are events?

• Any occurrence that the operating system (OS) or a program wants to keep track of or alert the user about
• Examples of events are:
• User logging onto a computer
• User logging off a computer
• The OS logs each event
• Methods of logging events by the OS:
• Some events are logged automatically by default
• Other events are logged based on the audit configuration in PolAdEvt registry key

3

3

Event Logs?

• Event logs are special files that record significant events on a computer, such as:
• when a user logs onto the computer
• when a program crashes
• When a program starts
• The operating system records a ‘special’ event in an event log that can be read using Event Viewer
• Details in event logs can be helpful when troubleshooting problems with operating systems and other programs

4

4

Examples of Windows Event Logs

• Application (program) events
• Setup events
• Forwarded events
• Security-related events
• System events
• Domain Controllers events
• File Replication event logs
• Directory Service event logs
• Domain Name Servers event logs
• DNS event logs

5

5

Application (program) event logs

• Depending on the severity, application (program) events are classified as
• Error
• Warning
• information, of the event
• An error event is a significant problem, such as loss of data.
• A warning event is an event that is not necessarily significant, but might indicate a possible future problem.
• An information event describes the successful operation of a program, driver, or service

6

6

System events log

• System events are logged by Windows and Windows system services
• Like application events, they are classified as error, warning, or information

7

7

Setup event logs

• A domain is a Windows concept through which a user may be granted access to a number of computer resources using the same username and password combination.
• On Microsoft Servers, a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.)
• Computers that are configured as domain controllers will have additional logs displayed here

8

8

Forwarded events log

​

• The forwarded events log contain events sent or forwarded from other .computers

9

9

Security-related events log

• Security-related events are called audits
• They are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful or not
• Example: when you mistype your login password the system denies access to it. Such a denial triggers an security-related event which is logged.

10

10

Domain Controller event logs

• Domain controllers have these logs
• File Replication event logs
• Directory Service event logs

​

​

11

11

Event Viewer

• We said earlier that events logged by the operating system can be viewed on Windows using Event Viewer.
• How do we access the Windows Event Viewer?

​

12

12

Accessing Windows 7 Event Viewer

13

To view the details of an event double click it

13

Windows 7 Event Viewer

14

14

Event log format

• Windows event log is stored in binary format with distinct, recognizable features that can help investigator to recognize and interpret event log files or event records on a system, either in files or located in unallocated space.
• Each event log comprises:
• Header section
• Series of records
• The event log is kept in a circular buffer to allow getting rid of records of older events as new ones are added.

15

15

Structure of event log header

• Basic features of the event log header:
• The first 48 bytes of a valid event log file
• Consists of 12 distinct DWORD values
• Event record structure (see Page 5-3 of CHFI Book)
• Basic size of header is 56 bytes

​

​

16

16

An application program event log

17

17

IIS Logs

• Microsoft Internet Information Services Server (IIS), formerly Internet Information Server, is a popular Web server platform
• A best way to uncover attempts to compromise an IIS or to view the details of a successful exploit is to examine the directory %WinDir%\System32\LogFiles
• A scripting language can be used to open files in each subfolder and searched during investigations

18

18

Virtual Servers in IIS

19

1. Open Windows explorer
2. In the address bar type

%WinDir%\System32\LogFiles

1. Click <enter>

​

19

How to activate IIS

Before that you have to enable the IIS for windows by

• start
• Control panel
• programs
• Turn windows feature on / off
• Check the IIS services (4th and 5th checkbox)
• ok
• restart the system

20

20

Parsing Windows Firewall Logs

• When logging is enabled, windows firewall logs are kept in the folder

%SystemRoot%\pfirewall.log

• Data is stored in the file objects.data which is located in C:\Windows\System32\wbem\Repository\
• When the Windows Firewall log is open in a text editor we can see the header at the top. This header describes
• The software, version, time format, and other fields

21

21

Tasks

• Study the header of the basic event log of the operating system on your laptop/computer. Note the type of OS.

​

• Analyze the log files of:
• DHCP Server
• Windows firewall

​

​

​

22

22

What is account auditing?

• Whenever you are connected to the Internet, you are at risk. Anyone can try to access your system and if  enhanced security is not implemented, then the hacker can steal your confidential data
• Account Auditing lets you see who may be trying to break into your account.
• If you have enabled the Account Auditing settings then such type of events are logged in the system and you can view these log files any time to see  if someone is accessing your system or not.
• Account Auditing lets you see who may be trying to break into your account.

23

23

Examining auditing-policy change events

• Attackers to a system often attempt to disable auditing
• Modifications to the audit policy are recorded as event ID 612
• A computer forensics investigator can deduce what changes have been made by looking at event ID 612 entries and comparing the old and new policies
• As the audit policy of a domain controller has precedence over local audit policy on individual computers, attackers have a difficult task in completely disabling auditing

24

24

How do we enable Account Auditing Settings?�

25

25

26

26

Examining system log entries

• The system event log records events relating to system behaviour, e.g.
• Operating system changes
• Hardware configuration changes
• Starting and stopping of services
• Installation of device drivers
• The Service Control Manager sends a message with event ID 7035 to the System event log whenever a service is stopped

27

27

Examining application log entries

• Application event log contains messages from both operating system and various programs, e.g.
• Desktop application programs like MS Word
• Antivirus and security software, including scanning activities and discovery of malware
• Users can use Microsoft program called logevent.exe to send customized messages
• Virtual Network Computing (VNC) and Windows Remote Desktop allow remote connections. VNC application records connections to the VNC server including source IP and port number in the application log

​

28

28

Windows Event Log File Internals

• Windows event log files are essentially dbases with the records related to the
• System 🡺 SysEvent.evt
• Security 🡺 SecEvent.evt
• Applications 🡺 AppEvent.evt
• These event file types are stored in the folder %SystemRoot%\system32\config
• NOTE: EVT is a file extension for log files used by Windows Event Viewer

29

29

What is Windows Event Log Parser?

• Log parser is a powerful, versatile tool that provides universal query access to text-based data such as
• log files, XML files and CSV files
• As well as key data sources on the Windows® operating system such as the
• Event Log,
• the Registry,
• the file system, and
• Active Directory®

30

30

Popular Windows forensic analysis tools: Word Extractor��

• Word Extractor is a hacking tool that extracts human-understandable words from binary computer files
• Binary files 🡺 human-understandable words
• A hacker can use this tool to attempt to find hidden text or passwords in a file
• Features of word extractor:
• Supports drag and drop and text warping
• Saves results as text or RTF files
• Replaces nonhuman words with spaces or dots for better visibility

31

31

Thank You

32

32