Analysis and Evaluation of the Windows Event Log - Bill Buchanan

More documents

Recommendations

Info

Barrie Codona, BSc (Hons) Network Computing, 2007 2 Literature Review 2.1 Introduction The aim of this literature review is to present to the reader current techniques and research that is being utilised and developed in the Log Management field, and how Digital Forensics are used to analyse these log files. It will also take a look at some of the techniques that are being used to disrupt a forensic investigation. By identifying these techniques, it is intended that this will have an influence on the design of the system that is to be developed with the aim of improving the overall security and credibility of the Windows Event Logging system. 2.2 Digital Forensics Crimes involving computers have increased dramatically over the last 10 years. This is due to the cost of owning a computer and having an internet connection decreasing, therefore more people are buying computers and more people are subsequently using the internet to facilitate their crimes. The Parliamentary Office of Science and Technology (Postnote, 2006) define some types of computer crime as storing illegal images, copyright violations, phishing, denial of service attacks and creating viruses. In similarity to the physical world, when a crime is committed there is always some form of evidence left behind, this is where digital forensics comes in. Digital forensics is the science of being able to extract digital evidence from computers and other electronic devices “to aid the legal process” (Brown, 2006). According to Rogers (2005) of Purdue University, this is achieved by “identification, collection, examination and analysis” of the data that is contained on storage devices with the aim of discovering incriminating digital information (Nair, 2006). This section presents to the reader some of the techniques that are currently used during such an investigation and how the Windows event log would be used to assist an investigation by recreating a timeline of events. 13
Barrie Codona, BSc (Hons) Network Computing, 2007 There are several stages that take place during an investigation and according to Palmer (2001) these are identification, preparation, approach strategy, preservation, collection, examination, analysis, presentation and returning evidence Spafford (2004) describe this model as “The Abstract Digital Forensics Model”. They also mention that this model is generally a good reflection of the forensic process, and that the four main stages are “preservation, collection, examination, and analysis”. • Preservation. This is the first phase of a digital investigation preserves the crime scene (Spafford, 2004). It involves creating a mirror copy of any hard discs and removable media, and if the computer is in a running state, creating a dump of its memory. This will allow the recreation of an exact copy of the system in a lab environment. • Collection. This stage involves creating a record of the actual physical scene and creating a copy of any digital data that may be available. Cohen (2006) describes the following as good practice. To remove all equipment and cables, label, and record details, and search the area for diaries, notebooks and papers (especially look for passwords or other similar notes). Ask the user for passwords and record these, and then submit the equipment for forensic examination. In addition, The National Institute of Standards and Technology (NIST, 2006) state that the data should be captured using procedures that preserve the integrity of the data. • Examination. This stage, according to Baryamureeba (2004) is an in-depth systematic search of evidence, the examination of collected data through a combination of automated and manual methods (NIST, 2006). But may also include other items such as log files, data files containing specific phrases, timestamps, and so on (Gladyshev, 2004). • Analysis. The NIST (2006) describe this stage as analysing the results of the examination, using legally justifiable methods and techniques, it is also the determination of the significance, reconstructing fragments of data and drawing conclusions based on evidence found (Spafford, 2004). 14
Page 1 and 2: Analysis and Evaluation of the Wind
Page 3 and 4: Barrie Codona, BSc (Hons) Network C
Page 13: Barrie Codona, BSc (Hons) Network C
Page 65 and 66:
Barrie Codona, BSc (Hons) Network C
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Appendix A: Diary Sheets
Page 77 and 78:
NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Appendix B: Preliminary Gantt Chart
Page 87 and 88:
Nov '07 Dec '07 Jan '08 Feb '08 Mar
Page 89 and 90:
C:\Documents and Settings\Barrie\My
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Appendix D: Server Application Code
Page 97 and 98:
Page 99 and 100:
Appendix E: Event Viewer Code
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Appendix G: Processor Monitor Code
Page 107 and 108:
Appendix H: HMAC Brute Force Cracke
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Appendix I: Windows Event Log Tests
Page 115 and 116:
Copy Security Log C:\windows\system
Page 117 and 118:
Another look at the Security Log re
Page 119 and 120:
The Event Service is then restarted
Page 121 and 122:
Another look at the ‘c:\windows\s
Page 123 and 124:
CO42019 - Project 4 Computer Name P
Page 125 and 126:
CO42019 - Project 4 Turned off the
Page 127 and 128:
CO42019 - Project 4 And then restar
Page 129 and 130:
CO42019 - Project 4 Modify the ‘l
Page 131 and 132:
CO42019 - Project 4 Project - Week
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
CO42019 - Project 4 As previously d
Page 139 and 140:
CO42019 - Project 4 The screenshot
Page 141 and 142:
CO42019 - Project 4 Displaying the
Page 143 and 144:
CO42019 - Project 4 Modifying the r
Page 145 and 146:
CO42019 - Project 4 Master File Tab
Page 147 and 148:
CO42019 - Project 4 Modify the sect
Page 149 and 150:
CO42019 - Project 4 Sectors 3748520
Page 151 and 152:
CO42019 - Project 4 This now shows
show all

Analysis and Evaluation of the Windows Event Log - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?