Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
There are several stages that take place during an investigation <strong>and</strong> according to<br />
Palmer (2001) <strong>the</strong>se are identification, preparation, approach strategy, preservation,<br />
collection, examination, analysis, presentation <strong>and</strong> returning evidence<br />
Spafford (2004) describe this model as “The Abstract Digital Forensics Model”. They<br />
also mention that this model is generally a good reflection <strong>of</strong> <strong>the</strong> forensic process, <strong>and</strong><br />
that <strong>the</strong> four main stages are “preservation, collection, examination, <strong>and</strong> analysis”.<br />
• Preservation. This is <strong>the</strong> first phase <strong>of</strong> a digital investigation preserves <strong>the</strong><br />
crime scene (Spafford, 2004). It involves creating a mirror copy <strong>of</strong> any hard<br />
discs <strong>and</strong> removable media, <strong>and</strong> if <strong>the</strong> computer is in a running state, creating<br />
a dump <strong>of</strong> its memory. This will allow <strong>the</strong> recreation <strong>of</strong> an exact copy <strong>of</strong> <strong>the</strong><br />
system in a lab environment.<br />
• Collection. This stage involves creating a record <strong>of</strong> <strong>the</strong> actual physical scene<br />
<strong>and</strong> creating a copy <strong>of</strong> any digital data that may be available. Cohen (2006)<br />
describes <strong>the</strong> following as good practice. To remove all equipment <strong>and</strong> cables,<br />
label, <strong>and</strong> record details, <strong>and</strong> search <strong>the</strong> area for diaries, notebooks <strong>and</strong> papers<br />
(especially look for passwords or o<strong>the</strong>r similar notes). Ask <strong>the</strong> user for<br />
passwords <strong>and</strong> record <strong>the</strong>se, <strong>and</strong> <strong>the</strong>n submit <strong>the</strong> equipment for forensic<br />
examination. In addition, The National Institute <strong>of</strong> St<strong>and</strong>ards <strong>and</strong> Technology<br />
(NIST, 2006) state that <strong>the</strong> data should be captured using procedures that<br />
preserve <strong>the</strong> integrity <strong>of</strong> <strong>the</strong> data.<br />
• Examination. This stage, according to Baryamureeba (2004) is an in-depth<br />
systematic search <strong>of</strong> evidence, <strong>the</strong> examination <strong>of</strong> collected data through a<br />
combination <strong>of</strong> automated <strong>and</strong> manual methods (NIST, 2006). But may also<br />
include o<strong>the</strong>r items such as log files, data files containing specific phrases,<br />
timestamps, <strong>and</strong> so on (Gladyshev, 2004).<br />
• <strong>Analysis</strong>. The NIST (2006) describe this stage as analysing <strong>the</strong> results <strong>of</strong> <strong>the</strong><br />
examination, using legally justifiable methods <strong>and</strong> techniques, it is also <strong>the</strong><br />
determination <strong>of</strong> <strong>the</strong> significance, reconstructing fragments <strong>of</strong> data <strong>and</strong><br />
drawing conclusions based on evidence found (Spafford, 2004).<br />
14