Leveraging Windows Event Logs in Examinations

Welcome to the third post in our Windows Forensic Essentials Blog Series. View our previous posts on Jump Lists and the Recycle Bin.

Windows Event Logs can potentially be used by an examiner to show what a user has done on a computer.  They can be used to assist in answering the question “could this happen?” Let's look at how Event Logs can assist examiner’s in their case analysis.

What are Event Logs?

Simply put, they are logs that record events that occur on a Windows computer.  Event Logs are recorded automatically without user interaction.

Event Logs

Here is a list of the more common Event Logs:

  • Application Log: Logs events by applications.
  • Security Log: Contains log-on information.
  • Setup Log: Application setup.
  • System Log: Logs events pertinent to the Windows system.

Event Logs Contain

Here is a brief list of what Event Logs contain:

  • Event ID: A number that identifies an event
  • Record Number: Event IDs are created sequentially
  • Source File: The file to which the Event Log is saved (from the list above)
  • Date: The date and time the event was recorded
  • Data: Information that describes the Event Log

Event Logs Location

On modern Windows systems (Vista and newer), Event Logs are saved in a .evtx format in the following location:

  • C:\Windows\System32\winevt\Logs\

Analysis

Let’s zero in on how Event Logs can be used in examinations.   BlackLight® parses Event Logs, when selected under Advanced Options ➔ Operating System Event/Security Logs.  In BlackLight® parsed Event Logs are found at System ➔ System Logs.

Log-On Events

Windows records a user’s log-in activity in the Registry, telling examiners the last time the user logged into the system.  But how can we tell how many times the user has logged into the system?

Event ID 4624 Successful Log-On Of An Account

Event Logs in BlackLight filtered on Even ID 4624 Figure 1: Event Logs in BlackLight® filtered on Event ID 4624.

In BlackLight®, filtering for Event ID 4624 (the Event ID for a successful log-on) returns a lot of information.  There are several types of log-on events , let’s look at a few.

Log-on Event TypesFigure 2:  Log-on Types

The chart above shows different log-on types (again not an exhaustive list).  This information is stored in the Data field and can be further filtered so that we can determine actual log-ons.

Filtering on Event ID 4624 and LogonType 2Figure 3: Filtering on Event ID 4624 and LogonType: 2

Event ID 4647 User Initiated Log-Off

When a user initiates a log-off from the system, an Event Log is created.  We can filter for that particular Event ID and determine the date and time a user logged off the computer. Filtering on Event ID 4647 User Initiated Log-Off

Figure 4:  Filtering on Event ID 4647 user initiated Log-Off.  

Changing The Date And Time

If a user changes the date and time of a computer as a way of thwarting an investigation, or to hide his activity, examiners can use Event Logs to determine that the date and time was changed; further examiner’s can determine exactly when the date and time was changed. Event ID 1 Clock Change

Event Logs showing Event ID 1 clock changeFigure 5:  Event Logs showing Event ID 1 Clock Change.  

In Figure 5 evidence is displayed that emphatically shows a change in the clock on the Windows computer from 2017-01-23 (10:12:11 EST) to 2016-12-23 (15:17:08 EST).

Event Record Numbers

Remembering what was mentioned earlier, Event Logs are created sequentially and receive a Record Number upon creation.  Because so much is recorded by Event Logs, if examiners sort on the Record Number the change in the date and time will be easy to spot. Event Logs sorted by Record Number showing a change in clock time

 Figure 6:  Event Logs sorted by Record Number showing a change in clock time.  

Figure 6 shows Event Logs sorted by Record Number, we note the date and time change.

Conclusion

Although often over looked in examinations, Event Logs can be a powerful ally in attempting to prove what has occurred on the computer.

Leave a Reply

Sorry, you must be logged in to post a comment.