Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
1 Introduction<br />
1.1 Project Overview<br />
The windows event log is used in digital forensic cases, but unfortunately it is flawed<br />
in many ways, <strong>and</strong> <strong>of</strong>ten cannot be seen as a verifiable method <strong>of</strong> determining events.<br />
In <strong>the</strong> past few years <strong>the</strong>re have been a few highly publicised cases where <strong>the</strong> data that<br />
is contained within <strong>the</strong> event log is used to successfully secure a conviction.<br />
Dr Harold Shipman used a database program for storing information about his<br />
patients. Whenever anything was added or modified in <strong>the</strong> database it automatically<br />
filled in <strong>the</strong> time <strong>and</strong> date. Dr Shipman used his knowledge <strong>of</strong> computers to rollback<br />
<strong>the</strong> system time <strong>and</strong> date so that he could enter false information about his patients<br />
<strong>and</strong> <strong>the</strong>ir medical conditions after he had killed <strong>the</strong>m. What Dr Shipman was unaware<br />
<strong>of</strong> was that when <strong>the</strong> system time <strong>and</strong> date is altered it shows up in <strong>the</strong> <strong>Windows</strong> event<br />
log. This information was successfully used in court to prove that he had falsified his<br />
patient’s records after <strong>the</strong>y had past away.<br />
In America <strong>the</strong> collapse <strong>of</strong> Enron <strong>and</strong> WorldCom spurred <strong>the</strong> introduction <strong>of</strong> <strong>the</strong><br />
Sarbanes-Oxley Act in 2002, this piece <strong>of</strong> US legislation places greater focus on <strong>the</strong><br />
auditing process within an IT department. It expects that <strong>the</strong> IT staff will risk assess<br />
<strong>the</strong> auditing process <strong>and</strong> introduce controls that increase <strong>the</strong> security <strong>and</strong> integrity <strong>of</strong><br />
this process. Although this piece <strong>of</strong> legislation only currently applies in America, <strong>the</strong><br />
UK’s Financial Services Authority is in <strong>the</strong> process <strong>of</strong> implementing a similar piece <strong>of</strong><br />
legislation here in <strong>the</strong> UK. It is currently being referred to as Europe-SOX or SOX-<br />
Lite <strong>and</strong>, just like its American big bro<strong>the</strong>r, it too places greater emphasis on <strong>the</strong><br />
credibility <strong>of</strong> audit logs.<br />
As previously mentioned <strong>the</strong>se logs can be used in digital forensic cases to provide an<br />
insight into what <strong>the</strong> computer system has been used for, when it has been used <strong>and</strong><br />
who was using it. Unfortunately <strong>the</strong> audit logs are not stored securely on <strong>the</strong> computer<br />
system. Anyone that has administrative privileges can turn <strong>of</strong>f <strong>the</strong> logging service.<br />
They can subsequently edit <strong>the</strong> contents <strong>of</strong> <strong>the</strong> logs, delete <strong>the</strong> logs <strong>and</strong> <strong>the</strong>y can<br />
replace <strong>the</strong> entire log with one from ano<strong>the</strong>r machine. Physical access to <strong>the</strong> computer<br />
9