Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
For this test a simple application will be created <strong>and</strong> installed as a service on a<br />
Micros<strong>of</strong>t Server 2003 environment, this will be used to call <strong>the</strong> Client application. It<br />
will be run under VMWare with a second Server 2003 that will act as <strong>the</strong> log server.<br />
A Micros<strong>of</strong>t <strong>Windows</strong> XP client will be used to generate <strong>the</strong> traffic <strong>of</strong> files being<br />
modified via <strong>the</strong> use <strong>of</strong> a mapped drive to <strong>the</strong> File Server.<br />
Figure 61: Custom event log showing ‘Sec<strong>Event</strong>.Evt’<br />
As it can be seen from <strong>the</strong> above screenshot, <strong>the</strong> application successfully managed to<br />
monitor <strong>the</strong> windows event log folder <strong>and</strong> <strong>the</strong> shared data folder. It was noted that <strong>the</strong><br />
application was not properly capturing <strong>the</strong> username that caused <strong>the</strong> event, it was<br />
however, capturing <strong>the</strong> username <strong>of</strong> <strong>the</strong> user that was currently logged onto <strong>the</strong> server,<br />
in this case <strong>the</strong> administrator.<br />
6.8 Conclusions<br />
Based upon <strong>the</strong> testing that was carried out it was initially noted that <strong>the</strong> use <strong>of</strong><br />
asynchronous encryption, to encode a large number <strong>of</strong> events, caused a serious drain<br />
on <strong>the</strong> system. When both <strong>the</strong> synchronous <strong>and</strong> asynchronous encryption techniques<br />
were compared to each o<strong>the</strong>r it was found that <strong>the</strong> synchronous encryption was 800%<br />
faster than <strong>the</strong> asynchronous one. These results lead to <strong>the</strong> modification <strong>of</strong> <strong>the</strong><br />
application to make use <strong>of</strong> asynchronous encryption only for exchanging <strong>the</strong><br />
synchronous shared key.<br />
The accuracy <strong>of</strong> <strong>the</strong> application was measured by generating a large number <strong>of</strong> events<br />
on <strong>the</strong> system, when using synchronous encryption it h<strong>and</strong>led <strong>the</strong>m with ease. Before<br />
66