Event Log Analysis Part 2 - Windows Forensics Manual 2018

Event logs give an audit trail that records user events on a PC and is a potential source of evidence in forensic examinations. This document shows a Windows Event Forensic Process for investigating operating system event log files. This process covers various events that are found in Windows Forensic. All things considered, it furnishes experts with direction on the utilization of Windows event logs in the digital forensic investigation.

When monitoring Windows Event Logs, we must first identify the Operating System Version. The Event Logs may differ from one operating system to the other based on their versions and configurations. It is possible that the event logs from Windows XP may not be accessible in Windows 7. For example, in Windows XP machine the event id 551 refers to logoff event. Whereas in Windows vista/7/8 the logoff event id is 4647 and in windows 10 it is 4634. Similarly, Windows Server editions have a different number of events so that concludes that the exact Operating System version needs to be identified carefully.
Before locating digital evidence, the incident response team must require an understanding of windows events and know what they are looking for in the events list. Some key windows event logs are described in this section with their respective event IDs.

Understanding Critical Windows Event Logs

Windows and AntiMalware Update Events

Windows System records every detail of each update applied by the windows update service. If any anti-malware software is installed then its update history is also recorded. Any third-party antivirus application installed in the system also enables to collect logs to be stored in windows event logs. These logs are stored only if the logging is enabled by the administrator. For instance, the event timestamp and the points of interest of the installed updates can assist a forensic specialist to decide whether the system being referred to was secure or vulnerable against particular security dangers during a specific timeframe.

Event IDs with Description

S No.
Event ID
Description
Log Name
1
44
Windows Update Service Started Downloading an Update.
System
Exhibit Details
Figure 1: Windows and AntiMalware Update Downloading Started
2
43
Installation Started: Windows Update or Definition Update for Windows Defender Antivirus
System
Exhibit Details
Figure 2: Windows and AntiMalware Update Installation Started
3
19
Installation Successful: Windows Update or Definition Update for Windows Defender Antivirus
System
Exhibit Details
Figure 3: Windows and AntiMalware Update Successful Installation
4
20
Installation Error
System
Exhibit Details
Figure 4: Windows and AntiMalware Update Error


System Restore Logs


Event IDs with Description

S No.
Event ID
Description
Log Name
1
8194
Successfully Created System Restore
Application
Exhibit Details
Figure 5: Restore Point Successful Creation
2
8216
Skipped Creating System Restore (Either Manually or Last Restore was Created Recently)
Application
Exhibit Details
Figure 6: Skipping Restore Point Creation
3
8300
Scoping Started for Shadow Copy
Application
Exhibit Details
Figure 7: Scoping Started for Shadowcopy
4
8301
Scoping Completed
Application
Exhibit Details
Figure 8: Scoping Completed for Shadowcopy
5
8302
Scoping Successfully Completed
Application
Exhibit Details
Figure 9: Scoping Successfully Completed


Logon/Logoff Events


Event IDs with Description

S No.
Event ID
Description
Log Name
1
4624
Successful Logon
Security
Exhibit Details
Figure 10: Successful Logon Event
2
4625
Failed Login
Security
Exhibit Details
3
4776
Successful/Failed Account Authentication
Security
Exhibit Details
4
4720
A User Account was Created
Security
Exhibit Details
Figure 13: A New Account Creation Event Log
5
4732
A member was added to a security-enabled local group
Security
Exhibit Details
Figure 14: Member Added to Local Group Event Log
6
4728
A member was added to a security-enabled global group
Security
Exhibit Details

Figure 15: Member Added to Global Group Event Log
7
7030
Service Control Manager Errors
System
Exhibit Details
Figure 16: Services Control Manager Event
8
7040
Service was changed from Disabled to Autostart or Demand Start to Autostart or Autostart to Demand Start
System
Exhibit Details
Figure 17: Services Control Manager Event




Remote Access Event Logs


If an unknown entity has been accessing PC remotely then the Incident Response team can find some hard evidence of the event in the logs. However, It depends upon the type of access that has been acquired. If the system is accessed via a backdoor or IRC Bot then logs are not recorded. To find if the system is accessed remotely, the event id 4648 (Logon) with Logon Type 10 proves to be useful.

Event IDs with Description

S. No
Event ID
Description
Log Name
1
4648
Remote Access Attempt in the System
Security
Exhibit Details
Figure 18: Remote Login Attempt Event


User Plug n Play Event Logs

The User Plug-n-Play Device Events found in the System Event Log indicate USB/PCI connections with the PC. An event is activated when a driver is installed or updated. Events that give data about an installed hardware and driver have UserPnp as their source. The Device Instance ID is a Unique Identifier for every device.
User PnP Event IDs

S No.
Event ID
Description
Log Name
1
20001
Installation or Update Event ID
System
Exhibit Details
Figure 19: User PnP Driver Installation or Update Event
2
20003
Service Installation or Update Event ID
System
Exhibit Details
Figure 20: Service Installation or Update Event ID Sample
3
20002
Installation Error
System

Windows System also records the WPD (Windows Portable Devices) logs. WPD enables the operating system to communicate and coordinate with the attached devices which can be anyone of the following: Music Players, Storage Media, Mobile Phones, Cameras and many other portable devices that can be connected to the computer.
WPD Events IDs
Successful Installation Event ID - 24576
Compatibility Layer Successful Registration - 24577
Installation Error - 24578
Autoplay Skipping - 24579

Networking Events


When a system attempts to connect to a wireless network then it results in an event being logged in WLAN-Autoconfig, which also stores the SSID of the same connection. This event ID is 4000 in Windows 10, whereas in other operating systems it may be different. The event 6100 record the information about the network interface, SSID, and the diagnostic result of the wireless adapter.

Event IDs with Description

S No.
Event ID
Description
Log Name
1
4000
WLAN AutoConfig service has successfully started
System
Exhibit Details
Figure 21: WLAN Service Started Event Example
2
4001
WLAN AutoConfig service has successfully stopped
System
Exhibit Details
Figure 22: WLAN Service Stopped Successfully
3
4003
WLAN AutoConfig detected limited connectivity
System
Exhibit Details
Figure 23: WLAN Limited Service
4
6100
Wireless Network Adapter Diagnosis
System
Exhibit Details
Figure 24: WLAN Diagnosis Event Example


Security State Change Events

Event IDs with Description

S No.
Event ID
Description
Log Name
1
4608
Windows Startup Event (This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.)
Security
Exhibit Details
Figure 25: Windows Startup Event Log
2
4616
The System Time Was Changed
System
Exhibit Details
Figure 26: System Time Change Event Log
3
4624
Successful Account Logon
System
Exhibit Details
Figure 27: System Successful Logon Event Log
4
4634
Account Logoff
System
Exhibit Details
Figure 28: Account Logoff Event Log
5
4648
Event Occurs when a Logon was attempted using explicit credentials
System
Exhibit Details
Figure 29: System Logon Attempt Using Explicit Credentials
6
4672
If Special privileges assigned to a logon (Useful in detecting “super user” account logon
System
Exhibit Details
Figure 30: Logon Event Type Special Logon
7
4688
New Process has been created
System
Exhibit Details
Figure 31: New Process Creation Event Log
8
4720
A User Account is Created
System
Exhibit Details
9
4722
A User Account is Enabled
System
Exhibit Details
10
4724
An Attempt is made to Reset an account’s password
System
Exhibit Details
11
4826
Boot Configuration Data Loaded
System
Exhibit Details
Figure 35: Boot Configuration Data Loaded Event Log
12
5024
Windows Firewall Service Started Successfully
System
Exhibit Details
Figure 36: Successful Firewall Service Starting Event Log
13
5033
Windows Firewall Driver Started Successfully
System
Exhibit Details
Figure 37: New Process Creation Event Log
14
5058/5061
Key File Operation / Windows Cryptographic Operation (Stores cryptographic parameters along with the Algorithm Name
System
Exhibit Details
Figure 38: Key File Operation Event Log
15
6005
Event Log Service Started
System
Exhibit Details
Figure 39: Event Log Service Started
16
6006
Event Log Service Stopped
System
Exhibit Details
Figure 40: Event Log Service Stopped
17
6008
Unexpected System Shutdown
System
Exhibit Details
Figure 41: Unexpected Shutdown Event
18
6013
Shows System Uptime
System
Exhibit Details
Figure 42: System Uptime Event
19
1100
Event logging service shutdown
System
Exhibit Details
Figure 43: Event Logging Service ShutDown Event Log
20
1102
Logs Cleared
System
Exhibit Details
Figure 44: Event Log ID when Logs are Cleared

Best Practices


  1. Collect Logs in a Single Place
    • If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats. 
    • If these archives are stored in multiple locations then it is much harder to analyze logs from all locations manually.
  2. Segment different logs into different files to easily access for researching and reading them
    • This practice means to keep the logs segmented into different categories. For example, keep the Application logs, Security logs, System logs, Network logs in each different segmented archives so that it will be easier to parse through particular logs for threat inspection.
  3. Regular Log analysis for Potential Threats
    • Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.
  4. Archive Logs, Do not Overwrite
    • In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user. 
    • For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.
  5. Access to limited personnel & accesses should be logged
    • The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.
  6. Regularly upgrade or update log management infrastructure if there is any
    • Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
    • Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.
  7. Use copies of logs for Forensic Investigation
    • Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files. 
    • Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.
  8. Store Multiple Backups
    • Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
    • Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
    • Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)
Industry Practices to Preserve and Understand Logs Indicating a Compromise

Incident Response teams play an important role in organizational breach. There are certain steps and measures to follow after a system is found to be compromised via Event Logs. IR teams can use Log data of Indicators of Compromise to better understand how threats were able to infiltrate the system. IOCs help in identifying specific threats and provide valuable information. With the help of IOCs, a forensic investigator can quickly locate and resolve any damage that may have been caused by the system.

Common Indicators of Compromise


  • Unusual Outbound Network Traffic
  • Changes in behaviour of privileged users
  • Geographical irregularities in logins and access patterns from unusual locations
  • Check for failed logins for the user accounts that do not exist
  • Check for HTML response size if the attacker use SQL injection to extract data
  • Check for Windows registry changes
  • Unexpected patching of system or applications
  • Check if data is stored in wrong places
The above-provided Indicators of Compromise are some of the most common practices that help in identifying the system breach but are not always sufficient. Out of the box, thinking is necessary to investigate properly and to contain the attack. If the system logs indicate that the system has been compromised then these are the crucial steps to follow after an attack.
  • Identify whether a critical attack has occurred
  • Investigate the scope of the compromise
  • Isolate the compromised system
  • Backup Important Data
  • Contain the attack
  • Repair system to prevent future attacks
  • Documenting everything and creating detailed Reports.

Conclusion

Windows is the most commonly used operating system in the consumer and corporate computing environment. One of the main features that enable the Windows forensic process is Event Logging. Event logs are very helpful in gathering potential evidence for the investigation unless the user has manually disabled the event logging service. Though there are some vulnerabilities in Event Logging, most of them can be overcome thus making event logs an extremely valuable resource as part of the security monitoring process. Event Logs can be analyzed using various techniques to look for malware in the system.



The Event Viewer that was first incorporated into Vista and later Operating systems is capable of opening event logs that are stored in the previous EVT format. The previous versions of windows, for example, Windows XP and Server 2003 are not able to read the new EVTX format. Some of the important points of interest are described in this document for quick and effective analysis. These points are presented with the respective Event IDs that are helpful to unfold a forensic investigation.

Post a Comment

0 Comments