Module 011 Log Analysis
Module 011 Log Analysis
Analysis
MODULE 11
Page 1 of 19
Contents
11.1 Learning Objectives ........................................................................................................... 3
11.2 Introduction ........................................................................................................................ 3
11.3 Windows registry ............................................................................................................... 4
11.3.1 Registry and forensics ................................................................................................. 5
11.3.1.1 System information .............................................................................................. 5
11.4 Windows event log file ...................................................................................................... 7
11.4.1 Windows Event Log File Format ................................................................................ 7
11.4.2 Reading from Windows event log file ........................................................................ 9
11.4.3 Using Microsoft log parser ....................................................................................... 10
11.4.4 Understanding Windows user account management logs ........................................ 11
11.4.5 Understanding Windows file and other object Access sets ...................................... 12
11.4.6 Auditing policy change ............................................................................................. 12
11.5 Windows password storage.............................................................................................. 12
11.5.1 SAM .......................................................................................................................... 12
11.5.1.1 Removing LM hash............................................................................................ 13
11.5.1.2 Related attacks ................................................................................................... 13
11.5.2 AD ............................................................................................................................. 13
11.6 Summary .......................................................................................................................... 14
11.7 Check Your Progress ....................................................................................................... 14
11.8 Further Readings .............................................................................................................. 15
References, Article Source & Contributors..................................................................... 15
Page 2 of 19
Logs and Event Analysis
11.2 Introduction
In this chapter we will discuss two very important aspects of windows and other systems which
plays very vital role in forensics. They are: Event logs and Password cracking. In computer log
management and intelligence, log analysis (or system and network log analysis) is an art and
science seeking to make sense out of computer-generated records (also called log or audit trail
records). The process of creating such records is called data logging. Typical reasons why
people perform log analysis are:
The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity
or other security-related events specified by the system's audit policy. Auditing allows
administrators to configure Windows to record operating system activity in the Security Log.
Event logging provides system administrators with information useful for diagnostics and
auditing. The different classes of events that will be logged, as well as what details will appear
in the event messages, are often considered early in the development cycle. Many event logging
technologies allow or even require each class of event to be assigned a unique "code", which
is used by the event logging software or a separate viewer (e.g., Event Viewer) to format and
output a human-readable message. This facilitates localization and allows system
administrators to more easily obtain information on problems that occur.
Page 3 of 19
Windows registry is also a very important source to maintain and manage logs. As well registry
also has variety of controls/keys where general records pertaining events etc. are maintained
which can be very vital during digital forensics.
VIDEO LECTURE
Page 4 of 19
11.3.1 Registry and forensics
An investigator can acquire quite a good deal of information by studying and analysing registry.
Many tools like ProDiscover, ProScript can be very handy to get a good deal of analysis of
registry entries. Registry entries can be used to acquire and analyse many important
information necessary for forensics analysis. These information use system, time zone, shares,
audit policy, wireless SSIDS, auto start locations, user login, activities, USB removable
devices, trusted devices, cache, cookie and history etc.
Table 1 list out few important keys and their paths. This information acquired using these keys
has to be recorded using Encase and can lead to many conclusions while putting up the case.
Computers’ here is the name that the user gives to its computer. The name of computer
generally is made once in the lifetime usage of the system and hence it can be used to trace
various activities on network and internet carried by the user. Time of last shutdown is the time
at which the system was completely shut down.
Page 5 of 19
This information can lead us to know the status of the user and time stamps of various files and
can co-relate to give an idea of the mental status of the suspect. Sometime user themselves
create shared folders and applications for others to use over local network or internet (remote
desktops). This information can be traced out to find and analyse what kind of things or
information the user was trying to share and thus stamps of the shared files/folders can also be
analysed. Audit policy information can be very useful as it can let us know about what types
of information/events an investigator should look for in the event log. Service set
identifications (SSIDs) maintained by Windows can be useful in situations where unauthorised
access is need to be investigated and IP addresses needs to be traced. Artefacts of a USB devices
connected to computer are also registered via PnP (plug and play) manager. The sub key formed
for every USB device under the key path in table 1 is of the form Disk
&Ven_###&Prod_###&Rev###. This and other information can be used to trace and collect
vital evidences pertaining to a case. Similar is the case with mounted devices information under
registry. Many applications maintain MRU lists i.e. they keep a list of recently used files or
opened/created files. Also search assistant MRU lists are also maintained by search applicants.
MRU lists of connected systems etc. are also maintained. This information can of genuine help
to understand victim’s state of mind or condition just before the crime. System restore points
can be studied to understand how and when the user created back-ups. Restore points can be
used to understand long back status of the user work. Events are any occurrences or triggering
of an activity. The operating system logs some of these occurrences or events. However, the
key PolAdEvt in registry can be used to set audit configuration in order to log events based on
user requirements. Other key available for logging events is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\<Event Log>
One can view events logs from the control panel also (see Figure 1,Figure 2 and Figure 3).
Page 6 of 19
Figure 2: Event Viewer.
www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)
The Windows XML Event Log (EVTX) format was introduces in Windows Vista as a
replacement for the Windows Event Log (EVT) format.
Whenever and application needs to log (or is set in registry to log an event) it calls ReportEvent
function which adds an EVENTLOGRECORD structure taking the parameters from the system
(see figure 3).
Page 7 of 19
Figure 3: Event logs and reporting in windows
The event records are organized in either non-wrapping or wrapping way. The non-wrapping
is a simple one where records are added between header and EOF record structures.
Non-wrapping:
HEADER (ELF_LOGFILE_HEADER)
EVENT 1 (EVENTLOGRECORD)
•
•
•
EVENT 2 (EVENTLOGRECORD)
Page 8 of 19
Wrapping:
HEADER (ELF_LOGFILE_HEADER)
PART OF EVENT N (EVENTLOGRECORD)
The Wrapping mode uses circular way of adding new records. In this an old record is
overwritten as new records come in.
An event viewer application like Windows Event Viewer or log parser uses
the OpenEventLog function to open the event log for an event source. Then the viewer
application uses the ReadEventLog function to read event records from the log. The following
diagram illustrates this process (see figure 4).
Page 9 of 19
Figure 4: Process of viewing Event logs in windows.
Microsoft describes Logparser as a powerful, versatile tool that provides universal query access
to text-based data such as log files, XML files and CSV files, as well as key data sources on
the Windows operating system such as the Event Log, the Registry, the file system, and Active
Directory. The results of the input query can be custom-formatted in text based output, or they
can be persisted to more specialty targets like SQL, SYSLOG, or a chart.
Common usage:
$ logparser <options> <SQL expression>
Example: Selecting date, time and client username accessing ASPX-files, taken from all .log-
files in the current directory.
$ logparser -i:IISW3C -q "SELECT date, time, cs-username FROM *.log WHERE cs-uri-stem
LIKE '%.aspx' ORDER BY date, time;"
Page 10 of 19
Figure 5: LogParser.
To view complete list of events in user account management please visit Microsoft site:
https://technet.microsoft.com/en-us/library/dn319091.aspx.
Page 11 of 19
11.4.5 Understanding Windows file and other object Access sets
Objects on internet or computer can be tracked using object access policy setting in audit
events. If appropriate object access auditing subcategories (like file operations, Registry etc.)
is enabled one can audit attempts to access a file, directory, registry key, or any other object
(see figure 2). Many other subcategories are Audit Application Generated, Audit Certification
Services, Audit Detailed File Share, Audit File Share, Audit File System, Audit Filtering
Platform Connection, Audit Kernel Object, Audit Other Object Access Events, Audit Registry,
Audit Security Account Management etc.
11.5.1 SAM
The Security Account Manager (SAM) is a database file in Windows XP, Windows
Vista and Windows 7 that stores users' passwords. It can be used to authenticate local and
remote users. Beginning with Windows 2000 SP4, Active Directory is used to authenticate
remote users. SAM uses cryptographic measures to prevent forbidden users to gain access to
the system.
The user passwords are stored in a hashed format in a registry hive either as a LM hash or as
a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAMand is
mounted on HKLM/SAM.
In an attempt to improve the security of the SAM database against offline software
cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is
enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash
values for all local accounts stored in the SAM are encrypted with a key (usually also referred
to as the "SYSKEY"). It can be enabled by running the syskey program. Since a hash
function is one-way, this provides some measure of security for the storage of the passwords.
In the case of online attacks, it is not possible to simply copy the SAM file to another location.
The SAM file cannot be moved or copied while Windows is running, since the Windows kernel
Page 12 of 19
obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock
until the operating system has shut down or a "Blue Screen of Death" exception has been
thrown. However, the in-memory copy of the contents of the SAM can be dumped using
various techniques (including pwdump), making the password hashes available for
offline brute-force attack.
This software has both a highly pragmatic and beneficial use as a password clearing or account
recovering utility for individuals who have lost or forgotten their windows account passwords,
as well as a possible use as a malicious software security bypassing utility. Essentially granting
a user with enough ability, experience, and familiarity with both the cracking utility software
and the security routines of the Windows NT kernel (as well as offline and immediate local
access to the target computer) the capability to entirely bypass/remove the windows account
passwords from a potential target computer. Only recently, Microsoft released a utility called
LockSmith, which is part of MSDart. MSDart is not freely available to end-users, however.
11.5.2 AD
Active Directory (AD) is a directory service that Microsoft developed for Windows
domain networks and is included in most Windows Server operating systems as a set of
processes and services.
Page 13 of 19
An AD domain controller authenticates and authorizes all users and computers in a Windows
domain type network—assigning and enforcing security policies for all computers and
installing or updating software. For example, when a user logs into a computer that is part of a
Windows domain, Active Directory checks the submitted password and determines whether
the user is a system administrator or normal user.
Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and
3, Microsoft's version of Kerberos, and DNS.
11.6 Summary
1. Event logs and Password cracking plays very important role in digital forensics.
2. Event logging provides system administrators with information useful for diagnostics
and auditing. Windows registry is also a very important source to maintain and manage
logs.
3. Password cracking is utilized to gain access to digital evidence for which a judge has
allowed access but the particular file's access is restricted.
4. Registry entries can be used to acquire and analyze much important information like
system, time zone, shares, audit policy, wireless SSIDS, auto start locations, user login,
activities, USB removable devices, trusted devices, cache, cookie and history etc.
5. User and passwords in a window system are stored in either Security Account Manager
or Activity directory.
6. The most important methods of password cracking are brute force method, dictionary
searches, syllable attack, rule based attack, hybrid attack, password guessing, rainbow
attack.
7. There are several tools /software available to assist passwords recovery or cracking.
Few examples are windows key generator, CMOSPwd, ERD commander.
a) _______ and ______ can be very handy to get a good deal of analysis of registry entries.
b) When an application calls the ____________ function to write an entry to the event log,
the system passes the parameters to the ____________.
c) An event viewer application uses the __________ function to open the event log for an
event source.
d) SAM Stands for ______.
Page 14 of 19
e) the ______ subcategory needs to be enabled to audit file operations and the ______
subcategory needs to be enabled to audit registry accesses
2. State True or False
a) ProDiscover, ProScript
b) ReportEvent, event-logging service
c) OpenEventLog
d) Security Account Manager.
e) File System, Registry
2. State True or False
a) True
b) False
c) True
d) False
e) True
Page 15 of 19
[1] Active Directory - Wikipedia, the free encyclopedia,
https://en.wikipedia.org/wiki/Active_Directory
[2] CMOSPwd, https://packages.gentoo.org/packages/app-forensics/cmospwd
[3] Dictionary attack - Wikipedia, the free encyclopedia,
https://en.wikipedia.org/wiki/Dictionary_attack
[4] Event logging – Wikipedia, https://en.wikipedia.org/wiki/Event_logging
[5] Log analysis - Wikipedia, the free encyclopedia,
https://en.wikipedia.org/wiki/Log_analysis \
[6] logparser - Wikipedia, the free encyclopedia, https://en.wikipedia.org/wiki/Logparser
[7] Microsoft Desktop Optimization Pack - Wikipedia, ,
https://en.m.wikipedia.org/.../Microsoft_Diagnostics_and_Recovery_Tool
[8] Passware kit, http://azizalstsetia.blogspot.in/2011/04/passware-kit-forensic-103-full-
version_7549.html
[9] Password cracking - Wikipedia, the free encyclopedia,
https://en.wikipedia.org/wiki/Password_cracking.
[10] Rainbow table - Wikipedia, the free encyclopedia,
https://en.wikipedia.org/wiki/Rainbow_table
[11] Recover lost MS Office Password, recoverlostofficepassword.wikidot.com
[12] Security Account Manager - Wikipedia, the free encyclopedia,
https://en.wikipedia.org/wiki/Security_Account_Manager
[13] Windows XML Event Log, (EVTX),
http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)
Page 16 of 19
EXPERT PANEL
Page 17 of 19
Mr. Rishikesh Ojha, Digital Forensics and eDiscovery Expert
Page 18 of 19
This MOOC has been prepared with the support of
Page 19 of 19