Saturday, April 18, 2009

Windows Event Logs


The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.

Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:

Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1

To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.



Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.



Sunday, April 19, 2009

Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.

Another interesting post re: Vista Event Logs by Rob Faber can be found here.

3 comments:

H. Carvey said...

Thanks for the mention.

What I like about the approach I'm using is that it's cross-platform (the Perl code runs on Linux as well as Windows and the Mac...), free, and it incorporates easily into the overall timeline "stuff" I've been developing. It is so incredibly cool to be able to look at Event Log entries right along side file system and Registry activity, and even incorporating other sources (INFO2, event records pulled from a memory dump, etc.)

eco said...

I absolutely agree with you, cross platform is important. I often use your brilliant tools on Linux alongside SMART, especially when I preview infected Windows machines (HDD via write blocker --> Linux).

I also look forward to you timeline "stuff" as I am a big believer in the visualisation.

Unknown said...

I'm glad I found a homepage that deals with the same thing I'm like. I always read the whole article and keep an eye on other comments too before commenting myself. In this way i have found some good site that I now follow beyond the purpose of getting links from them