Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
presents a problem that should also be addressed by <strong>the</strong> design <strong>of</strong> <strong>the</strong> s<strong>of</strong>tware for this<br />
report. Instead <strong>of</strong> just monitoring <strong>the</strong> <strong>Event</strong> <strong>Log</strong> files, which are only accessed by <strong>the</strong><br />
system when <strong>the</strong> server is started or stopped, it is proposed that <strong>the</strong> s<strong>of</strong>tware being<br />
developed should be able to ei<strong>the</strong>r monitor <strong>the</strong> entire system or specific directories.<br />
The performance <strong>of</strong> <strong>the</strong> system could be compromised by an excessively large amount<br />
files to keep track <strong>of</strong>, however, <strong>the</strong> more data that is produced <strong>the</strong>n a more accurate<br />
investigation can be performed.<br />
The .NET Framework provides <strong>the</strong> ‘FileSystemWatcher’ class which is able to<br />
monitor if files have been accessed, modified, deleted or renamed, MSDN (2008). It<br />
can be set to monitor specific files within a specified directory or <strong>the</strong> entire system.<br />
Making this event driven will also make <strong>the</strong> program more efficient as far as<br />
processing is concerned.<br />
As previously discussed in <strong>the</strong> Literature Review chapter, <strong>the</strong> formatting <strong>of</strong> <strong>the</strong> data<br />
that is contained within <strong>the</strong> log file is important. Firstly, for digital forensic purposes,<br />
<strong>the</strong> data that is captured <strong>and</strong> stored needs to be done in a manner that does not alter<br />
<strong>the</strong> original data. Secondly, <strong>the</strong> data should be in a format that is easily accessible to a<br />
variety <strong>of</strong> different applications.<br />
Based upon <strong>the</strong>se specifications <strong>the</strong> data that is being stored will be contained within<br />
<strong>the</strong> XML format. This essentially places every piece <strong>of</strong> information within its own<br />
opening <strong>and</strong> closing tags. For example, Barrie. The information that<br />
will be captured will consist <strong>of</strong>:<br />
• The time <strong>and</strong> date that <strong>the</strong> event took place.<br />
• The user that performed <strong>the</strong> action.<br />
• What kind <strong>of</strong> action has been performed.<br />
• And <strong>the</strong> path <strong>of</strong> <strong>the</strong> file.<br />
4.4 Data Archiving System<br />
To achieve <strong>the</strong> black-box concept, this will involve a client-server architecture, where<br />
<strong>the</strong> client is <strong>the</strong> machine that is capturing <strong>the</strong> events <strong>and</strong> <strong>the</strong> server or Data Archiving<br />
System will be <strong>the</strong> machine that is storing <strong>the</strong> log files.<br />
32