Analysis and Evaluation of the Windows Event Log - Bill Buchanan

More documents

Recommendations

Info

Barrie Codona, BSc (Hons) Network Computing, 2007 could be monitored for any copying, writing or deleting then it could be said that it would be possible to highlight a possible attack on the integrity of its data. Also, being able to monitor the status of the Event Logging Service, using the system registry, would highlight if it had been changed from automatic to disabled. The design of the system will be based upon these findings. It will disallow any physical access to the event logs and will also produce a hash signature that will highlight if any changes have been made. 29
Barrie Codona, BSc (Hons) Network Computing, 2007 4 Design 4.1 Introduction One of the objectives of this project is to design a suitable software solution that is based upon research done. This chapter aims to deliver a prototype system that is based upon the findings in the previous Literature Review and Windows Event Log chapters. The main influence in the design of this system has to be that of the blackbox concept that was previously discussed, in theory this would be a secure off-site data storage facility that would provide the ability to write custom event logs, without having access to be able to modify or delete them, essentially a write once environment. Each event will also have a hash signature attached to, so that if anyone attempts to modify them this will be highlighted. 4.2 High-Level Design This application will consist of three separate components, an event logger, a data archiving system and a separate event viewer. The event logger will reside on the computer system that is to be monitored. When it is first started it will prompt the user to enter a key that will be used for generating a hash signature. It will watch for changes that happen to the file system, files being created modified, deleted and renamed. When one of these events happens it will create a hash signature for it. It is then encrypted and sent to the data archiving system. The data archiving system receives the data from the event logger and decrypts it. It then applies a time stamp to the data before it is written to an event log. The event log is then read by the event viewer, it displays all the information about the selected event to the user in a format that is easily readable. It also allows the user to enter the key that was used for generating the original hash signature. The event viewer will then use this key to generate a new signature based upon the contents of the log file and compare it to the signature that is held on file for this particular event. So long as the data within the log file has not been modified the signatures will match. This will authenticate the message as being genuine. Figure 7 shows the communications that take place between the event logger and data archiving systems. 30
Page 1 and 2: Analysis and Evaluation of the Wind
Page 3 and 4: Barrie Codona, BSc (Hons) Network C
Page 29: Barrie Codona, BSc (Hons) Network C
Page 75 and 76: Appendix A: Diary Sheets
Page 77 and 78: NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 79 and 80: NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 81 and 82:
NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 83 and 84:
NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 85 and 86:
Appendix B: Preliminary Gantt Chart
Page 87 and 88:
Nov '07 Dec '07 Jan '08 Feb '08 Mar
Page 89 and 90:
C:\Documents and Settings\Barrie\My
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Appendix D: Server Application Code
Page 97 and 98:
Page 99 and 100:
Appendix E: Event Viewer Code
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Appendix G: Processor Monitor Code
Page 107 and 108:
Appendix H: HMAC Brute Force Cracke
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Appendix I: Windows Event Log Tests
Page 115 and 116:
Copy Security Log C:\windows\system
Page 117 and 118:
Another look at the Security Log re
Page 119 and 120:
The Event Service is then restarted
Page 121 and 122:
Another look at the ‘c:\windows\s
Page 123 and 124:
CO42019 - Project 4 Computer Name P
Page 125 and 126:
CO42019 - Project 4 Turned off the
Page 127 and 128:
CO42019 - Project 4 And then restar
Page 129 and 130:
CO42019 - Project 4 Modify the ‘l
Page 131 and 132:
CO42019 - Project 4 Project - Week
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
CO42019 - Project 4 As previously d
Page 139 and 140:
CO42019 - Project 4 The screenshot
Page 141 and 142:
CO42019 - Project 4 Displaying the
Page 143 and 144:
CO42019 - Project 4 Modifying the r
Page 145 and 146:
CO42019 - Project 4 Master File Tab
Page 147 and 148:
CO42019 - Project 4 Modify the sect
Page 149 and 150:
CO42019 - Project 4 Sectors 3748520
Page 151 and 152:
CO42019 - Project 4 This now shows
show all

Analysis and Evaluation of the Windows Event Log - Bill Buchanan

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?