Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Analysis and Evaluation of the Windows Event Log - Bill Buchanan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Barrie Codona, BSc (Hons) Network Computing, 2007<br />
7.2 Future Work<br />
Overall <strong>the</strong> application does comply with <strong>the</strong> original design specification that was set<br />
out in Chapter 4; unfortunately <strong>the</strong>re are a few flaws which would need to be<br />
addressed before <strong>the</strong> application could be fully released. The first flaw was stated in<br />
<strong>the</strong> conformance testing. The application does not capture <strong>the</strong> username <strong>of</strong> <strong>the</strong> person<br />
that is modifying <strong>the</strong> files, but it does however capture <strong>the</strong> username <strong>of</strong> <strong>the</strong> person that<br />
is currently logged onto <strong>the</strong> server.<br />
The second flaw is in <strong>the</strong> current design <strong>of</strong> <strong>the</strong> Client application; currently when <strong>the</strong><br />
application starts it prompts <strong>the</strong> user/administrator to enter a key that would be used to<br />
calculate <strong>the</strong> HMAC hash, if <strong>the</strong> user/administrator was in <strong>the</strong> process <strong>of</strong> modifying<br />
an event log <strong>the</strong>y could simply not enter <strong>the</strong> key until <strong>the</strong> <strong>Event</strong> <strong>Log</strong> Service had been<br />
restarted. Perhaps some form <strong>of</strong> peer based system that allows <strong>the</strong> servers to remotely<br />
monitor each o<strong>the</strong>r would be able to prevent this. Ei<strong>the</strong>r that or base <strong>the</strong> HMAC key<br />
on a digital certificate.<br />
A third area that would require more work is with how <strong>the</strong> server stores <strong>the</strong> log files.<br />
Currently <strong>the</strong>re is no method in place for being able to check if events have been<br />
added or removed while <strong>the</strong>y were <strong>of</strong>f-site. This could have be addressed by allowing<br />
<strong>the</strong> client to build a local log file that is identical to that on <strong>the</strong> server. At a given<br />
interval a hash could be produced on both <strong>the</strong> client <strong>and</strong> <strong>the</strong> server, <strong>and</strong> <strong>the</strong>n<br />
exchanged with one ano<strong>the</strong>r. Any discrepancies would <strong>the</strong>n be highlighted.<br />
It would also be good if <strong>the</strong> system could be tested in a ‘real life’ environment, to see<br />
how it copes with multiple users accessing files at <strong>the</strong> same time. According to <strong>the</strong><br />
tests that have been carried out, in <strong>the</strong>ory, it should work fine, as <strong>the</strong> event logger<br />
application is monitoring <strong>the</strong> file system not <strong>the</strong> users.<br />
69