Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
Abstract<br />
The windows event log is used in digital forensic cases, but unfortunately it is flawed<br />
in many ways, <strong>and</strong> <strong>of</strong>ten cannot be seen as a verifiable method <strong>of</strong> determining events.<br />
In <strong>the</strong> past few years <strong>the</strong>re have been a few highly publicised cases where <strong>the</strong> data that<br />
is contained within <strong>the</strong> event log is used to successfully secure a conviction. The aim<br />
<strong>of</strong> this dissertation is to develop a solution that addresses <strong>the</strong> flaws in <strong>the</strong> <strong>Windows</strong><br />
event logging service. Through research carried out it had been found that it was<br />
possible to disable <strong>the</strong> event log service. This <strong>the</strong>n allowed for important data to be<br />
modified, such as usernames, computer names, times <strong>and</strong> dates. It was also noted that<br />
an event log from one machine could successfully be transplanted into ano<strong>the</strong>r<br />
without any problems. All <strong>of</strong> <strong>the</strong>se vulnerabilities involved having access to, <strong>and</strong><br />
being able to edit, <strong>the</strong> event log files.<br />
Based upon <strong>the</strong> research done, an event logging application was developed using C#<br />
<strong>and</strong> <strong>the</strong> Micros<strong>of</strong>t .NET framework. It makes use <strong>of</strong> RSA <strong>and</strong> AES encryption <strong>and</strong><br />
HMAC hash signatures to improve <strong>the</strong> integrity <strong>of</strong> <strong>the</strong> data. The application is divided<br />
up into three components, an event logger which monitors specific files <strong>and</strong> folders<br />
within a computer system <strong>and</strong> sends alerts to <strong>the</strong> data archiving system in an XML<br />
format, <strong>and</strong> an event viewer that presents <strong>the</strong> events in a readable format to <strong>the</strong> user.<br />
The performances <strong>of</strong> <strong>the</strong> symmetric <strong>and</strong> asymmetric encryption were tested against<br />
each o<strong>the</strong>r. It had been found that <strong>the</strong> symmetric encryption was 800% faster than<br />
asymmetric encryption. Also <strong>the</strong> HMAC hash signatures were tested to see how long<br />
it would take to do a brute force attack on <strong>the</strong>m. It was discovered that approximately<br />
21,093 keys were processed every second, this was <strong>the</strong>n compared to <strong>the</strong> key entropy<br />
<strong>and</strong> how a longer r<strong>and</strong>om key would be harder to break.<br />
3