Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
Experiment 2 - Copying <strong>the</strong> <strong>Event</strong> <strong>Log</strong>. This experiment will demonstrate how it is<br />
possible to be able to take a copy <strong>of</strong> <strong>the</strong> <strong>Event</strong> <strong>Log</strong> while it is still running. This shows<br />
how it is possible to generate an event log file that can <strong>the</strong>n ei<strong>the</strong>r be edited or copied<br />
across to ano<strong>the</strong>r machine.<br />
Experiment 3 - Swapping <strong>the</strong> <strong>Event</strong> <strong>Log</strong> from one computer to ano<strong>the</strong>r. This<br />
experiment will investigate if it is possible to be able to replace <strong>the</strong> <strong>Event</strong> <strong>Log</strong> on<br />
Server A with that <strong>of</strong> Server B, <strong>and</strong> if it is possible does it produce any errors. This i<br />
Experiment 4 - Modify <strong>the</strong> ‘logon ID’. This experiment will involve using a Hex<br />
Editor to modify <strong>the</strong> binary data that is contained within <strong>the</strong> <strong>Event</strong> <strong>Log</strong>, specifically<br />
<strong>the</strong> <strong>Log</strong>on ID that represents a specific user, for example try to replace User A with<br />
User B. This could be used by someone who intends on framing ano<strong>the</strong>r person or<br />
covering <strong>the</strong>ir tracks.<br />
Experiment 5 - How <strong>the</strong> event log stores <strong>the</strong> time. This experiment will take a<br />
closer look at how <strong>and</strong> where <strong>the</strong> <strong>Event</strong> <strong>Log</strong> stores <strong>the</strong> time that an event happened at.<br />
It will also analyse <strong>the</strong> format that is used. This leads onto <strong>the</strong> next experiment.<br />
Experiment 6 - Modify <strong>the</strong> 32-bit time. This experiment will attempt to change <strong>the</strong><br />
timestamp, using a Hex Editor, which has been applied to a specific event. If it is<br />
possible <strong>the</strong>n this could be used to disrupt <strong>the</strong> timeline <strong>of</strong> events that have happened<br />
<strong>and</strong> as such would slow down a digital forensic investigation.<br />
Experiment 7 - Automatically replacing <strong>the</strong> ‘Sec<strong>Event</strong>.Evt’ file. This experiment<br />
will look at <strong>the</strong> possibility <strong>of</strong> writing a script that could be used to automatically<br />
replace <strong>the</strong> <strong>Event</strong> <strong>Log</strong>, <strong>the</strong> purpose <strong>of</strong> this to be able to prove that it is possible<br />
automate this process <strong>and</strong> to identify what happens on <strong>the</strong> system.<br />
Experiment 8 - Master File Table. This section will take a closer look at how NTFS<br />
stores files on a computer system. With this information an attempt will be made to<br />
try <strong>and</strong> modify <strong>the</strong> event log by directly accessing its data on <strong>the</strong> hard disk while <strong>the</strong><br />
<strong>Event</strong> <strong>Log</strong>ging Service is still running. The purpose <strong>of</strong> this is to be able to by-pass <strong>the</strong><br />
need to have to top <strong>the</strong> event log service.<br />
22