infosecinstitute.com
Introduction
For Part I of these series, please visit this page:http://security24h.blogspot.com/2013/10/windows-systems-and-artifacts-in.htmlThis article begins with event logs and discusses their headers’ structure and the structure of their building blocks—the headers of the event records. It mentions some open source tools that can parse event logs and briefly explores event logs on versions of Windows below and above Windows Vista, along with an exploration of their characteristics. Links to pages of the MSDN are provided for further reference on event logging.
Then the article continues with a brief examination of the three computer sleep modes (sleep, hibernation, and hybrid sleep) and their significance for forensic analysts. To enable you to picture this point, an explanation is given about what happens to information that is deleted from the computer with the standard “Delete” button or through the contextual menu. This explanation is useful in the context of the discussion as writing the data on the HDD makes it useful to forensic analysts beyond the point of deletion.
Finally, we have provided a list of quick ways to remove artifacts from your Windows system. Removal of objects such as thumbs.db, hiberfil.sys, pagefile.sys, metadata, Index.dat is discussed in this chapter and it concludes with mentioning the names of a few programs that claim to permanently remove data from your computer.
Event Logs
Event logs have headers for the particular file and headers for the particular entries and both have the unique identifier (signature) “LfLe” included in their structure. Their length can be viewed as variable. Figure 1 reveals the structure of an entry header.Figure 1: This illustrates the structure of an event log’s entry header. It is based on the one provided by Jeff Hamm in his paper “Carve for Records, Not Files.” Available at: http://computer-forensics.sans.org/summit-archives/2012/carve-for-record-not-files.pdf
Windows NT, 2000, XP, and 2003 use a logging system called event logging. The MSDN site contains information concerning the structures that make up event logs (http://msdn.microsoft.com/en-us/library/windows/desktop/aa363652(v=vs.85).aspx). These structures are all well-known and it is not difficult to write tools that parse the event records that these logs contain in a binary form and also extract them from the unallocated space. Parsing a binary form is valuable because the header clusters of the event log files may output a number of event records in the particular file, whereas if you parse it in a binary form extra event records may be produced. The Event Log file extension is “.evt.”
No comments:
Post a Comment