Event logs give an audit trail that records user events on a PC and is a potential source of evidence in forensic examinations. This document shows a Windows Event Forensic Process for investigating operating system event log files. This process covers various events that are found in Windows Forensic. All things considered, it furnishes experts with direction on the utilization of Windows event logs in the digital forensic investigation.
When monitoring Windows Event Logs, we must first identify the Operating System Version. The Event Logs may differ from one operating system to the other based on their versions and configurations. It is possible that the event logs from Windows XP may not be accessible in Windows 7. For example, in Windows XP machine the event id 551 refers to logoff event. Whereas in Windows vista/7/8 the logoff event id is 4647 and in windows 10 it is 4634. Similarly, Windows Server editions have a different number of events so that concludes that the exact Operating System version needs to be identified carefully.
Before locating digital evidence, the incident response team must require an understanding of windows events and know what they are looking for in the events list. Some key windows event logs are described in this section with their respective event IDs.
Understanding Critical Windows Event Logs
Windows and AntiMalware Update Events
Windows System records every detail of each update applied by the windows update service. If any anti-malware software is installed then its update history is also recorded. Any third-party antivirus application installed in the system also enables to collect logs to be stored in windows event logs. These logs are stored only if the logging is enabled by the administrator. For instance, the event timestamp and the points of interest of the installed updates can assist a forensic specialist to decide whether the system being referred to was secure or vulnerable against particular security dangers during a specific timeframe.
Event IDs with Description
| ||||
S No.
|
Event ID
|
Description
|
Log Name
| |
1
|
44
|
Windows Update Service Started Downloading an Update.
|
System
| |
Exhibit Details
| ||||
Figure 1: Windows and AntiMalware Update Downloading Started
| ||||
2
|
43
|
Installation Started: Windows Update or Definition Update for Windows Defender Antivirus
|
System
| |
Exhibit Details
| ||||
Figure 2: Windows and AntiMalware Update Installation Started
| ||||
3
|
19
|
Installation Successful: Windows Update or Definition Update for Windows Defender Antivirus
|
System
| |
Exhibit Details
| ||||
Figure 3: Windows and AntiMalware Update Successful Installation
| ||||
4
|
20
|
Installation Error
|
System
| |
Exhibit Details
| ||||
Figure 4: Windows and AntiMalware Update Error
| ||||
System Restore Logs
Event IDs with Description
| ||||
S No.
|
Event ID
|
Description
|
Log Name
| |
1
|
8194
|
Successfully Created System Restore
|
Application
| |
Exhibit Details
| ||||
Figure 5: Restore Point Successful Creation
| ||||
2
|
8216
|
Skipped Creating System Restore (Either Manually or Last Restore was Created Recently)
|
Application
| |
Exhibit Details
| ||||
Figure 6: Skipping Restore Point Creation
| ||||
3
|
8300
|
Scoping Started for Shadow Copy
|
Application
| |
Exhibit Details
| ||||
Figure 7: Scoping Started for Shadowcopy
| ||||
4
|
8301
|
Scoping Completed
|
Application
| |
Exhibit Details
| ||||
Figure 8: Scoping Completed for Shadowcopy
| ||||
5
|
8302
|
Scoping Successfully Completed
|
Application
| |
Exhibit Details
| ||||
Figure 9: Scoping Successfully Completed
| ||||
Logon/Logoff Events
Event IDs with Description
| ||||
S No.
|
Event ID
|
Description
|
Log Name
| |
1
|
4624
|
Successful Logon
|
Security
| |
Exhibit Details
| ||||
Figure 10: Successful Logon Event
| ||||
2
|
4625
|
Failed Login
|
Security
| |
Exhibit Details
| ||||
Figure 11: Source - [https://www.top-password.com/blog/wp-content/uploads/2014/10/logon-failure-event.png]
| ||||
3
|
4776
|
Successful/Failed Account Authentication
|
Security
| |
Exhibit Details
| ||||
 | ||||
4
|
4720
|
A User Account was Created
|
Security
| |
Exhibit Details
| ||||
Figure 13: A New Account Creation Event Log
| ||||
5
|
4732
|
A member was added to a security-enabled local group
|
Security
| |
Exhibit Details
| ||||
Figure 14: Member Added to Local Group Event Log
| ||||
6
|
4728
|
A member was added to a security-enabled global group
|
Security
| |
Exhibit Details
| ||||
Figure 15: Member Added to Global Group Event Log
| ||||
7
|
7030
|
Service Control Manager Errors
|
System
| |
Exhibit Details
| ||||
Figure 16: Services Control Manager Event
| ||||
8
|
7040
|
Service was changed from Disabled to Autostart or Demand Start to Autostart or Autostart to Demand Start
|
System
| |
Exhibit Details
| ||||
Figure 17: Services Control Manager Event
| ||||
Remote Access Event Logs
If an unknown entity has been accessing PC remotely then the Incident Response team can find some hard evidence of the event in the logs. However, It depends upon the type of access that has been acquired. If the system is accessed via a backdoor or IRC Bot then logs are not recorded. To find if the system is accessed remotely, the event id 4648 (Logon) with Logon Type 10 proves to be useful.
Event IDs with Description
| ||||
S. No
|
Event ID
|
Description
|
Log Name
| |
1
|
4648
|
Remote Access Attempt in the System
|
Security
| |
Exhibit Details
| ||||
Figure 18: Remote Login Attempt Event
| ||||
User Plug n Play Event Logs
The User Plug-n-Play Device Events found in the System Event Log indicate USB/PCI connections with the PC. An event is activated when a driver is installed or updated. Events that give data about an installed hardware and driver have UserPnp as their source. The Device Instance ID is a Unique Identifier for every device.
User PnP Event IDs
| ||||
S No.
|
Event ID
|
Description
|
Log Name
| |
1
|
20001
|
Installation or Update Event ID
|
System
| |
Exhibit Details
| ||||
Figure 19: User PnP Driver Installation or Update Event
| ||||
2
|
20003
|
Service Installation or Update Event ID
|
System
| |
Exhibit Details
| ||||
Figure 20: Service Installation or Update Event ID Sample
| ||||
3
|
20002
|
Installation Error
|
System
| |
Windows System also records the WPD (Windows Portable Devices) logs. WPD enables the operating system to communicate and coordinate with the attached devices which can be anyone of the following: Music Players, Storage Media, Mobile Phones, Cameras and many other portable devices that can be connected to the computer.
WPD Events IDs
Successful Installation Event ID - 24576
Compatibility Layer Successful Registration - 24577
Installation Error - 24578
Autoplay Skipping - 24579Networking Events
When a system attempts to connect to a wireless network then it results in an event being logged in WLAN-Autoconfig, which also stores the SSID of the same connection. This event ID is 4000 in Windows 10, whereas in other operating systems it may be different. The event 6100 record the information about the network interface, SSID, and the diagnostic result of the wireless adapter.
Event IDs with Description
| ||||
S No.
|
Event ID
|
Description
|
Log Name
| |
1
|
4000
|
WLAN AutoConfig service has successfully started
|
System
| |
Exhibit Details
| ||||
Figure 21: WLAN Service Started Event Example
| ||||
2
|
4001
|
WLAN AutoConfig service has successfully stopped
|
System
| |
Exhibit Details
| ||||
Figure 22: WLAN Service Stopped Successfully
| ||||
3
|
4003
|
WLAN AutoConfig detected limited connectivity
|
System
| |
Exhibit Details
| ||||
Figure 23: WLAN Limited Service
| ||||
4
|
6100
|
Wireless Network Adapter Diagnosis
|
System
| |
Exhibit Details
| ||||
Figure 24: WLAN Diagnosis Event Example
| ||||
Security State Change Events
Event IDs with Description
| ||||
S No.
|
Event ID
|
Description
|
Log Name
| |
1
|
4608
|
Windows Startup Event (This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.)
|
Security
| |
Exhibit Details
| ||||
Figure 25: Windows Startup Event Log
| ||||
2
|
4616
|
The System Time Was Changed
|
System
| |
Exhibit Details
| ||||
Figure 26: System Time Change Event Log
| ||||
3
|
4624
|
Successful Account Logon
|
System
| |
Exhibit Details
| ||||
Figure 27: System Successful Logon Event Log
| ||||
4
|
4634
|
Account Logoff
|
System
| |
Exhibit Details
| ||||
Figure 28: Account Logoff Event Log
| ||||
5
|
4648
|
Event Occurs when a Logon was attempted using explicit credentials
|
System
| |
Exhibit Details
| ||||
Figure 29: System Logon Attempt Using Explicit Credentials
| ||||
6
|
4672
|
If Special privileges assigned to a logon (Useful in detecting “super user” account logon
|
System
| |
Exhibit Details
| ||||
Figure 30: Logon Event Type Special Logon
| ||||
7
|
4688
|
New Process has been created
|
System
| |
Exhibit Details
| ||||
Figure 31: New Process Creation Event Log
| ||||
8
|
4720
|
A User Account is Created
|
System
| |
Exhibit Details
| ||||
 | ||||
9
|
4722
|
A User Account is Enabled
|
System
| |
Exhibit Details
| ||||
 | ||||
10
|
4724
|
An Attempt is made to Reset an account’s password
|
System
| |
Exhibit Details
| ||||
Figure 34: Event Source : [https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724]
| ||||
11
|
4826
|
Boot Configuration Data Loaded
|
System
| |
Exhibit Details
| ||||
Figure 35: Boot Configuration Data Loaded Event Log
| ||||
12
|
5024
|
Windows Firewall Service Started Successfully
|
System
| |
Exhibit Details
| ||||
Figure 36: Successful Firewall Service Starting Event Log
| ||||
13
|
5033
|
Windows Firewall Driver Started Successfully
|
System
| |
Exhibit Details
| ||||
Figure 37: New Process Creation Event Log
| ||||
14
|
5058/5061
|
Key File Operation / Windows Cryptographic Operation (Stores cryptographic parameters along with the Algorithm Name
|
System
| |
Exhibit Details
| ||||
Figure 38: Key File Operation Event Log
| ||||
15
|
6005
|
Event Log Service Started
|
System
| |
Exhibit Details
| ||||
Figure 39: Event Log Service Started
| ||||
16
|
6006
|
Event Log Service Stopped
|
System
| |
Exhibit Details
| ||||
Figure 40: Event Log Service Stopped
| ||||
17
|
6008
|
Unexpected System Shutdown
|
System
| |
Exhibit Details
| ||||
Figure 41: Unexpected Shutdown Event
| ||||
18
|
6013
|
Shows System Uptime
|
System
| |
Exhibit Details
| ||||
Figure 42: System Uptime Event
| ||||
19
|
1100
|
Event logging service shutdown
|
System
| |
Exhibit Details
| ||||
Figure 43: Event Logging Service ShutDown Event Log
| ||||
20
|
1102
|
Logs Cleared
|
System
| |
Exhibit Details
| ||||
 Figure 44: Event Log ID when Logs are Cleared | ||||
Best Practices
- Collect Logs in a Single Place
- If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats.
- If these archives are stored in multiple locations then it is much harder to analyze logs from all locations manually.
- Segment different logs into different files to easily access for researching and reading them
- This practice means to keep the logs segmented into different categories. For example, keep the Application logs, Security logs, System logs, Network logs in each different segmented archives so that it will be easier to parse through particular logs for threat inspection.
- Regular Log analysis for Potential Threats
- Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.
- Archive Logs, Do not Overwrite
- In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user.
- For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.
- Access to limited personnel & accesses should be logged
- The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.
- Regularly upgrade or update log management infrastructure if there is any
- Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
- Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.
- Use copies of logs for Forensic Investigation
- Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files.
- Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.
- Store Multiple Backups
- Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
- Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
- Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)
Incident Response teams play an important role in organizational breach. There are certain steps and measures to follow after a system is found to be compromised via Event Logs. IR teams can use Log data of Indicators of Compromise to better understand how threats were able to infiltrate the system. IOCs help in identifying specific threats and provide valuable information. With the help of IOCs, a forensic investigator can quickly locate and resolve any damage that may have been caused by the system.
Common Indicators of Compromise
- Unusual Outbound Network Traffic
- Changes in behaviour of privileged users
- Geographical irregularities in logins and access patterns from unusual locations
- Check for failed logins for the user accounts that do not exist
- Check for HTML response size if the attacker use SQL injection to extract data
- Check for Windows registry changes
- Unexpected patching of system or applications
- Check if data is stored in wrong places
The above-provided Indicators of Compromise are some of the most common practices that help in identifying the system breach but are not always sufficient. Out of the box, thinking is necessary to investigate properly and to contain the attack. If the system logs indicate that the system has been compromised then these are the crucial steps to follow after an attack.
- Identify whether a critical attack has occurred
- Investigate the scope of the compromise
- Isolate the compromised system
- Backup Important Data
- Contain the attack
- Repair system to prevent future attacks
- Documenting everything and creating detailed Reports.
Conclusion
Windows is the most commonly used operating system in the consumer and corporate computing environment. One of the main features that enable the Windows forensic process is Event Logging. Event logs are very helpful in gathering potential evidence for the investigation unless the user has manually disabled the event logging service. Though there are some vulnerabilities in Event Logging, most of them can be overcome thus making event logs an extremely valuable resource as part of the security monitoring process. Event Logs can be analyzed using various techniques to look for malware in the system.
The Event Viewer that was first incorporated into Vista and later Operating systems is capable of opening event logs that are stored in the previous EVT format. The previous versions of windows, for example, Windows XP and Server 2003 are not able to read the new EVTX format. Some of the important points of interest are described in this document for quick and effective analysis. These points are presented with the respective Event IDs that are helpful to unfold a forensic investigation.
0 Comments