Windows Event Logs can potentially be used by an examiner to show what a user has done on a computer. They can be used to assist in answering the question “could this happen?” Let's look at how Event Logs can assist examiner’s in their case analysis.
What are Event Logs?
Simply put, they are logs that record events that occur on a Windows computer. Event Logs are recorded automatically without user interaction.
Here is a list of the more common Event Logs:
- Application Log: Logs events by applications.
- Security Log: Contains log-on information.
- Setup Log: Application setup.
- System Log: Logs events pertinent to the Windows system.
Event Logs Contain
Here is a brief list of what Event Logs contain:
- Event ID: A number that identifies an event
- Record Number: Event IDs are created sequentially
- Source File: The file to which the Event Log is saved (from the list above)
- Date: The date and time the event was recorded
- Data: Information that describes the Event Log
Event Logs Location
On modern Windows systems (Vista and newer), Event Logs are saved in a .evtx format in the following location:
Let’s zero in on how Event Logs can be used in examinations. BlackLight® parses Event Logs, when selected under Advanced Options ➔ Operating System Event/Security Logs. In BlackLight® parsed Event Logs are found at System ➔ System Logs.
Windows records a user’s log-in activity in the Registry, telling examiners the last time the user logged into the system. But how can we tell how many times the user has logged into the system?
Event ID 4624 Successful Log-On Of An Account
Figure 1: Event Logs in BlackLight® filtered on Event ID 4624.
In BlackLight®, filtering for Event ID 4624 (the Event ID for a successful log-on) returns a lot of information. There are several types of log-on events , let’s look at a few.
Figure 2: Log-on Types
The chart above shows different log-on types (again not an exhaustive list). This information is stored in the Data field and can be further filtered so that we can determine actual log-ons.
Figure 3: Filtering on Event ID 4624 and LogonType: 2
Event ID 4647 User Initiated Log-Off
When a user initiates a log-off from the system, an Event Log is created. We can filter for that particular Event ID and determine the date and time a user logged off the computer.
Figure 4: Filtering on Event ID 4647 user initiated Log-Off.
Changing The Date And Time
If a user changes the date and time of a computer as a way of thwarting an investigation, or to hide his activity, examiners can use Event Logs to determine that the date and time was changed; further examiner’s can determine exactly when the date and time was changed. Event ID 1 Clock Change
Figure 5: Event Logs showing Event ID 1 Clock Change.
In Figure 5 evidence is displayed that emphatically shows a change in the clock on the Windows computer from 2017-01-23 (10:12:11 EST) to 2016-12-23 (15:17:08 EST).
Event Record Numbers
Remembering what was mentioned earlier, Event Logs are created sequentially and receive a Record Number upon creation. Because so much is recorded by Event Logs, if examiners sort on the Record Number the change in the date and time will be easy to spot.
Figure 6: Event Logs sorted by Record Number showing a change in clock time.
Figure 6 shows Event Logs sorted by Record Number, we note the date and time change.
Although often over looked in examinations, Event Logs can be a powerful ally in attempting to prove what has occurred on the computer.