Analysis and Evaluation of the Windows Event Log - Bill Buchanan

More documents

Recommendations

Info

Barrie Codona, BSc (Hons) Network Computing, 2007 public static void OnRenamed(object source, RenamedEventArgs e) { // Specify what is done when a file is renamed. string message = "" + DateTime.Now + "" + GlobalClass.user + "" + e.ChangeType + "" + e.FullPath + ""; } // Pass the ‘message’ to the next stage. sendmsg(message); Figure 22: Capturing Events 5.2.4 HMAC Figure 23 shows the code that is used to generate the HMAC checksum. The ‘key’ is taken from a user input when the application is first launched; it is then passed into the following code along with the events that have been generated by the ‘FileSystemWatcher’ class. The resulting checksum value is then wrapped in XML tags and attached to the end of the captured events string. // Declare a new instance of Ascii Ecnoding called ‘encoding’. System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding(); // Convert the HMAC key to a byte value. byte[] keyByte = encoding.GetBytes(key); // Create a new instance of HMAC with SHA1. HMACSHA1 hmac = new HMACSHA1(keyByte); // Convert the message to a byte value. byte[] messageBytes = encoding.GetBytes(chkMessage); // Compute the hash signature. byte[] hashmessage = hmac.ComputeHash(messageBytes); // Update the value of the ‘chkMessage’ string. chkMessage = chkMessage + "" + ByteToString(hashmessage) + ""; Figure 23: Generating an HMAC hash signature 5.2.5 Encrypting Figure 24 shows the code that is used to encrypt the Event Message, the code for it is from a program by Mathew Schlabaugh (CodeProject, 2008). The cipher text is generated by breaking down the plain text into blocks that are smaller than the key that is used to encode them. The smaller blocks are then encoded with the Servers public key, this then makes them ready to be sent to the server. 43
Barrie Codona, BSc (Hons) Network Computing, 2007 // The following code is from ‘Public Key RSA Encryption // in C# .NET’ by Mathew John Schlabaugh. // Available from the http://www.codeproject.com // Specify the size of the key to be used in bits. int dwKeySize = 1024; // Decalre a new instance of the RSACryptoServiceProvider. RSACryptoServiceProvider RSAProvider = new RSACryptoServiceProvider(dwKeySize); // Read the Servers public key from XML. RSAProvider.FromXmlString(justPublicKey); // Convert keysize from bits to bytes. int keySize = dwKeySize / 8; // Convert message to bytes. byte[] bytes = Encoding.UTF32.GetBytes(chkMessage); // Define a size that will be used for calculating a block size. int maxLength = keySize - 42; int dataLength = bytes.Length; int iterations = dataLength / maxLength; StringBuilder stringBuilder = new StringBuilder(); for (int i = 0; i maxLength) maxLength : dataLength - maxLength * i]; // Copy the smaller message into memory. Buffer.BlockCopy(bytes, maxLength * i, tempBytes, 0, tempBytes.Length); // Encrypt the smaller message/section. byte[] encryptedBytes = RSAProvider.Encrypt(tempBytes, true); } // Add the encrypted secion to the StringBuilder. stringBuilder.Append(Convert.ToBase64String(encryptedBytes)); 5.2.6 Sending to Server Figure 24: Encrypting Data For the client to be able to send any data to the data archiving system it will have to converted into packet and then placed onto the TCP stream. Figure 25 shows this. // Send the encrypted message to the Server. server.Send(Encoding.ASCII.GetBytes(encryptedMessage)); // Specify the packet size. Byte[] data = new byte[10240]; // Receive the acknowledgement from the Server. int recv = server.Receive(data); // Convert the recieved message to a string. String stringData = Encoding.ASCII.GetString(data, 0, recv); Figure 25: Sending Data to a Server 44
Page 1 and 2: Analysis and Evaluation of the Wind
Page 3 and 4: Barrie Codona, BSc (Hons) Network C
Page 43: Barrie Codona, BSc (Hons) Network C
Page 75 and 76: Appendix A: Diary Sheets
Page 77 and 78: NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 85 and 86: Appendix B: Preliminary Gantt Chart
Page 87 and 88: Nov '07 Dec '07 Jan '08 Feb '08 Mar
Page 89 and 90: C:\Documents and Settings\Barrie\My
Page 95 and 96:
Appendix D: Server Application Code
Page 97 and 98:
C:\Documents and Settings\Barrie\My
Page 99 and 100:
Appendix E: Event Viewer Code
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Appendix G: Processor Monitor Code
Page 107 and 108:
Appendix H: HMAC Brute Force Cracke
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Appendix I: Windows Event Log Tests
Page 115 and 116:
Copy Security Log C:\windows\system
Page 117 and 118:
Another look at the Security Log re
Page 119 and 120:
The Event Service is then restarted
Page 121 and 122:
Another look at the ‘c:\windows\s
Page 123 and 124:
CO42019 - Project 4 Computer Name P
Page 125 and 126:
CO42019 - Project 4 Turned off the
Page 127 and 128:
CO42019 - Project 4 And then restar
Page 129 and 130:
CO42019 - Project 4 Modify the ‘l
Page 131 and 132:
CO42019 - Project 4 Project - Week
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
CO42019 - Project 4 As previously d
Page 139 and 140:
CO42019 - Project 4 The screenshot
Page 141 and 142:
CO42019 - Project 4 Displaying the
Page 143 and 144:
CO42019 - Project 4 Modifying the r
Page 145 and 146:
CO42019 - Project 4 Master File Tab
Page 147 and 148:
CO42019 - Project 4 Modify the sect
Page 149 and 150:
CO42019 - Project 4 Sectors 3748520
Page 151 and 152:
CO42019 - Project 4 This now shows
show all

Analysis and Evaluation of the Windows Event Log - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?