file analysis chapter 5 – harlan carvey event logs file metadata
Post on 22-Dec-2015
234 views
TRANSCRIPT
Event LogsLogging Events
• Events
• Logging Events
• Event Log Format
• Event Record Structure
• Various Logs
Usual Event Logs
• Application• Log of application errors, warnings and information
• Security• Dropped Packets, Successful Connections
• Logon/Logoffs
• System• Various device events
Security Logging - XP
• Not on by default• Log size is 512 KB by default• Control Panel Admin tools -> Local Security Policy
Log Viewer
• Event Viewer• Control Panel -> Administrative Tools -> Event
Viewer
• Application, Security and System logs available
• Event Properties• DTG of the event
• Important for some timelines
Event Viewer
• Convenient and pretty
• Works only on live systems
• Does not work on a forensics image
• We have to parse the event logs
Event Logs
• Binary Structure
• Header and a series of records
• Event ID formats• http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
event.aspx?eventid=528
• Application logs are vendor specific• EventID.net is a good source for this info - $$$
• blogs.msdn.com/ericfiz/default.aspx
• www.microsoft.com/technet/support/ee/ee_advanced.aspx
Event Log File FormatXP only
• Event Log Header – 12 DWORD values
• Event Records – Variable length
• Windows 7 & Vista• http://www.dfrws.org/2007/proceedings/p65-schuster.pdf
• http://computer.forensikblog.de/files/talks/SANS_Summit_Vista_Event_Log.pdf
Offset Size Description
0 4 bytes Size of the record (Header = 0x30, Event = 0xF4)
4 4 bytes Magic number 0x4C 66 4C 65 = LfLe
16 4 bytes Offset within the .evt file of the oldest event record
20 4 bytes Offset within the .evt file of the next event record to be written
24 4 bytes ID of the next event record
28 4 bytes ID of the oldest event record
32 4 bytes Maximum size of the .evt file (from the registry)
40 4 bytes Retention time of event records (from the registry)
44 4 bytes Size of the record (repeat of the first DWORD)
Event Log Header Structure
Offset Size Description
0 4 bytes Size of the record (Header = 0x30, Event = 0xF4)
4 4 bytes Magic number 0x4C 66 4C 65 = LfLe
8 4 bytes Record Number
12 4 bytes Time Generated
16 4 bytes Time written
20 4 bytes Event ID – Locates message file/dll/exe
24 2 bytes Event type (0x01 = error, 0x10 = Failure, 0x08 – Success, 0x04 = Info, 0x02 = Warning
26 2 bytes Number of strings
28 2 bytes Event category
30 2 bytes Reserved flags
32 4 bytes Closing record number
36 4 bytes String offset
40 4 bytes Length of user SSID
44 4 bytes Offset to the user SID within this event record
48 4 bytes Data length; length of the binary data associated with this event record
52 4 bytes Offset to data
Event Record Structure
Carvey’s Help
• Best not to depend on the Window’s API to read the Event files
• They can be corrupted
• May miss the next to be over written
• Provides summary stats
• Provides output readable in Excel
lsevt2.exe
Entry for each of the 2464 Event RecordsPuts it into an Excel readable format
lsevt –f event_file –c > save_file.csv
Identify Separators
Harlan’s stuff is separated by semicolons.
With Perl knowledge you could change it.
IE Browsing History
• Index.dat files
• DiscoverPro
• NetAnalysis
• Index dat spy
• SuperWinSpy
• Be careful !!!
Enabling Firewall Logging
• Control Panel -> Security Center -> Windows Firewall -> Advanced
• Follow your nose
Recycle Bin
• C:\RECYCLER• Each user gets his own folder
• Use the user’s SID
• Each has its own INFO2 file
INFO2 File Structure
• Header• 16 bytes
• Final 4 bytes (DWORD) is the size of each record0x320 (little endian) = 800 bytes
• Records• Record # at offset 264 within the record
• Drive designator at offset 2682 = C:\, 3=D:\, etc
• File size in clusters at offset 280
Open INFO2 in WinHex
• Very hard• File -> Open
• Navigate to C:\RECYCLER• Open it• Select a SID file• Open it. It may say you don’t have privileges• Type \INFO2• Try again!• Maybe
File MetadataMAC Times
OS - OS Action From To Create time Modification time
FAT to FAT Copy C:\ C:\ Updated Unchanged
FAT to FAT Move C:\ C:\ Unchanged Unchanged
FAT to NTFS Copy Updated Unchanged
FAT to NTFS Move Unchanged Unchanged
NTFS to NTFS Copy C:\ C:\ Updated Unchanged
NTFS to NTFS Move C:\ C:\ Unchanged Unchanged
Word Documents
• Document location
• Statistics
• Magic number
• Version and Language
• Last 10 authors
• MACPS timesModified, accessed, created, printed, saved
MeargeStreams
• Insert a spreadsheet into a word document
• Call it .doc – you see the Word document
• Call it .xls – you see the spreadsheet
• All sorts of uses• Smuggling out forecasts
• Sharing pictures on the corporate server