Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
Ryan Harris <strong>of</strong> Purdue University (2006) proposes that anti-forensic attacks are<br />
grouped into <strong>the</strong> four categories, each <strong>of</strong> <strong>the</strong>se are <strong>the</strong>n subdivided into both physical<br />
<strong>and</strong> digital groups. The categories that he suggests are evidence destruction, evidence<br />
hiding, evidence source elimination <strong>and</strong> evidence counterfeiting.<br />
• Evidence Destruction. Destroying evidence according to Harris (2006)<br />
partially or completely obliterates <strong>the</strong> evidence thus rendering it useless to a<br />
forensic investigation. One <strong>of</strong> <strong>the</strong> techniques that can be used to do this is<br />
called zero-footprinting. These are techniques that seek to eliminate all<br />
residual traces <strong>of</strong> an attack in order to prevent computer forensic operators<br />
from obtaining any results (Forte, 2007).<br />
• Evidence Hiding. Ryan Harris (2006) states that hiding evidence is <strong>the</strong> act <strong>of</strong><br />
removing evidence from view so that it is less likely to be incorporated into<br />
<strong>the</strong> forensic process. The evidence is not destroyed or manipulated however; it<br />
is just made less visible to <strong>the</strong> investigator. This can be achieved by using<br />
techniques like steganography or cryptography. Kessler (2004) describes<br />
steganography as <strong>the</strong> art <strong>of</strong> covered, or hidden, writing. Its purpose is hide<br />
information from a third party. Cryptography on <strong>the</strong> o<strong>the</strong>r h<strong>and</strong> is <strong>the</strong> art <strong>of</strong><br />
secret writing; it differs from steganography because it does not hide <strong>the</strong> fact<br />
that a secret communication is taking place between two parties.<br />
• Evidence Source Elimination. Disabling <strong>the</strong> <strong>Windows</strong> event log or any<br />
auditing system would help to hinder an investigation as data about <strong>the</strong><br />
activities would never have be recorded; Harris (2006) writes “There is no<br />
need to destroy evidence since it is never created”. This could be similar to a<br />
burglar wearing gloves so that he does not leave any finger prints at <strong>the</strong> scene<br />
<strong>of</strong> <strong>the</strong> crime. This forward planning <strong>of</strong> shutting <strong>of</strong>f an auditing system would<br />
imply that <strong>the</strong>re had been some degree <strong>of</strong> planning involved.<br />
• Evidence Counterfeiting. This involves changing <strong>the</strong> data that is contained<br />
within <strong>the</strong> event log, ei<strong>the</strong>r <strong>the</strong> timestamps, usernames <strong>and</strong>/or machine names.<br />
At <strong>the</strong> kernel level it could also involve changing <strong>the</strong> Modified Accessed<br />
Created <strong>and</strong> Entry modified (MACE) attributes <strong>of</strong> a file. Evidence<br />
counterfeiting is <strong>the</strong> act <strong>of</strong> creating a faked version <strong>of</strong> <strong>the</strong> evidence which is<br />
designed to appear to be something else (Harris, 2006).<br />
16