Utilizing Event Logs of Windows Operating System in Digital Crime Investigations

Download Full-Text PDF Cite this Publication

Text Only Version

Utilizing Event Logs of Windows Operating System in Digital Crime Investigations

Nagendar Rao Koppolu

Inspector of Police (In-charge State Cyber Vertical), Telangana Police Department, Hyderabad, Telangana, India

Abstract – Microsoft Windows uses Windows Event Logs extensively to store detailed logs of events generated by the operating system, services, and core Windows applications. Many third-party applications also use Windows Event Logs to store details of their internal events. Based on the logged events, certain user actions may also be identified. Hence, analysis of Windows Event Logs is a critical skill required by a digital forensics investigator. While digital forensics products do provide a range of features to examine Windows Event Log entries, an investigator must understand the nature of these entries and the underlying mechanisms. This paper explores these aspects in detail and presents several important Windows Logs areas that are relevant for a digital forensics investigator

Keywords – Windows Event Log, digital forensics, cybercrime investigation, Microsoft Windows Introduction

  1. INTRODUCTION

    1. Windows Architecture:

      Within Windows operating system, kernel and user mode applications reside. User-mode applications are accessed using Windows Shell components. Windows kernel is a low-level program that interacts with hardware drivers and creates application processes that use hardware resources. It includes accessing applications and their data (primarily files and folders).

      Fig. 1: Windows Event Log and its interactions with Windows components and applications

      All the critical components of Windows and its core applications use the Windows Event Log mechanism to store details of their events. Windows Event Logs are utilized for logging kernel and user mode events. Security and low-level hardware events are also logged in Windows Event Logs. Therefore, understanding these logs is necessary for system administrators, cybersecurity professionals, and digital forensics practitioners.

    2. Windows Event Logs:

      Microsoft Windows provides a centralized logging mechanism that applications and the operating system can use to store their events. Windows provides an application called Event Viewer, which can be used to view these logs. Windows Event Viewer was introduced in Windows NT and has been part of all the versions of Windows since then.

      Windows Event Logs typically contains the following information:

      • Level indicates the severity of the logged event. Following are the log levels available in Windows Event Logs:

        TABLE I. EVENT LEVEL

        Log Level

        Description

        Verbose

        Detailed output of the event log entry

        Information

        Generally used by applications and operating system components to denote successful execution of an operation

        Warning

        Not an error, but a possible source of issues in future

        Error

        Failure of an operation. It may indicate the source of a problem in an operating system service, component or application.

        Critical

        The major issue that should be addressed immediately.

        The levels of event log entries are decided by the developers of the applications or services. The levels Verbose and Information generally contain informational messages such as successful completion of background tasks and so on. The levels, Warning, Error, and Critical are degrees of the criticality of failure cases.

      • Date and Time: timestamp of the occurrence of an event.

      • Source application or service that generated the event may include services or applications of the operating system.

      • Event ID: a unique ID of the event being logged. The same ID is expected to be used in all the instances of the event being logged. For example, Event ID with a value of 4624 has a description An account was successfully logged on.

      • Task Category applications that have generated the event, the event source, can further categorize the event by giving the event a number and a text label. For example, events with ID 4624 have a task category Logon. This field helps users of Windows Event Viewer to filter events.

        Based on the type of the event and their source, event logs may store the following additional information [3]:

        TABLE II. ADDITIONAL PARAMETERS OF WINDOWS EVENT LOG

        Event Log Parameter

        Description

        Keywords associated with the event

        They are text strings associated with an event. The developer of the application provides these strings.

        User

        The Windows user login associated with the event.

        Operational Code

        The internal code assigned by the application to the operation being performed when the event was logged

        Log

        Type of the log, typically Application, Security, etc.

        Computer

        Name of the computer

        Thread ID

        ID of the thread belonging to the process that generated the event

        Process ID

        ID of the process that generated the event

        Session ID

        Remote terminal session ID

        Kernel Time

        CPU time units utilized by kernel-mode instructions

        User Time

        CPU time units utilized by user-mode instructions

        Processor Time

        CPU ticks utilized by user-mode instructions

        Correlation ID

        It is the internal activity ID in the process that generated the event

        Relative Correlation ID

        It is related activity ID in the process that generated the event

        Event Source Name

        It is the name of the event source as specified by the application

        As mentioned in TABLE II, one of the parameters stored in the Windows Event Log is called Log. Windows Event Log uses this parameter to categorize the log entry like one of these:

      • Application

      • Security

      • Setup

      • System

      • Forwarded Events

        Application and Services category contains sub-categories such as:

      • Hardware Events events generated by the applications, components and services that access the hardware.

      • Microsoft logs of system applications and services

      • Microsoft Office Alerts events generated by Microsoft Office applications

      • Key Management Service events of Windows Key Management Services

      • Logs of various other applications and services

        Windows Event Viewer provides a consolidated front-end for all the categories of logs.

    3. Windows Event Logs and their uses in Digital Forensics:

      Windows Event Logs contain logs that are generated by events in applications and the operating system. These log entries can be correlated with user actions, such as user logins, time periods when the system was in use, applications used at various points of time, etc. [7].

      It should be noted that Windows Event Logs do not contain details of actions performed by the user in applications. For example, applications typiclly do not store events, such as when the user last accessed a particular menu or a feature. To log such actions, applications maintain separate logs and those are not linked with Windows Event Logs.

      Windows Event Logs typically contain low-level application or operating system events. Here are a few examples of events that are logged by the operating system:

      • User login and logoff

      • Application Crash

      • Installation of a hardware device

      • Installation of Windows components and services

      As mentioned above, event log entries do not contain logs about the actions of users within the applications. However, investigators should attempt to relate actions performed by the user as noted in application logs with Windows Event Log entries. In some cases, when application logs are not available, event log entries such as the users login time and so on can be used to associate the data created or transmitted from the computer during the users active usage time. In essence, Windows Event Log entries can help an investigator substantiate their findings from other sources on the computer, such as application logs, files created by the applications, etc. Windows Event Logs are beneficial to associate actions performed by the user in the applications with operating system-level events such as login and logoff times.

  2. ACCESSING WINDOWS EVENT VIEWER

    All Windows systems have an in-built application called Event Viewer, a Windows Event Log framework component that allows access to event logs on the system [4].

    On Windows machine, click on Start and type Event Viewer and click on Event Viewer. Once Event Viewer is launched, a window as shown in the Fig. 2.

    The tree node on the left pane (Event Viewer) is the most important feature in Event Viewer as it helps navigate among different event logs.

    When the Custom Views node is expanded, the options are displayed as shown in Fig. 3. When Windows Logs are expanded, the logs are displayed as shown in Fig. 4.

    When Application and Services Logs are expanded, the options are displayed as shown in Fig. 5.

    Fig. 2: Windows Event Viewer

    Fig. 3: Custom Views in Windows Event Viewer

    Fig. 4: Windows Event Logs

    Fig. 5: Application and Service Logs

    Clicking on any of the above nodes would open the relevant log. Each log is displayed in a tabular structure, with each row representing an event. The following screenshot displays the contents of the Application log on a Windows machine:

    Fig. 6: Event Log Entries

    Contents of other logs were also presented in a similar manner. As shown in the screenshot above, each row represents one event. Each column represents event data of a particular type, such as Event ID, Level, etc. The display columns can be customized by right-clicking on the table header and selecting the Add/Remove Columns option.

    Fig. 7: Add/Remove Columns in Event Viewer

    Clicking this option shows the following dialog box using which the user can customize the columns that can be displayed in the log entries table.

    Fig. 8: Customizing Event Viewer

    Note that columns should be customized for each log type (nodes on the left side such as Application, Security, Setup and so on).

    Selecting a row in the events table displays details of the event in the bottom panel (as shown in Fig. 9).

    Windows Event Viewer also provides the feature for an administrator to connect to a remote system (for which the administrator has access) and access its logs.

    It is important to note that an investigator will most likely be using digital forensics software to explore the contents of event log entries. Digital forensics applications provide features to explore and search within event log entries. The mechanism described in this section is useful to explore and understand the contents of event log entries in a non-investigative scenario. Event log analysis should always be performed using digital forensics software to generate forensically acceptable reports.

    Fig. 9: Event Information

  3. USE OF DIGITAL FORENSICS APPLICATIONS FOR EVENT LOG ANALYSIS

    Digital forensics applications are connected to evidence disks using a write-blocker. A bitstream copy of the entire evidence disk is then taken and saved into a file. This file, which is called a disk image as a copy of the entire hard disk, contains all the hard disk contents. Digital forensics applications reconstruct the file system and its contents based on the data on the disk image. Event log files would also be available as part of the Windows installation folder. Digital forensics applications read and parse the raw event log files to reconstruct the structure of the logs and their events. Event log files are located at:

    <Windows Installation Folder>\ System32\winevt\Logs Most commonly, the location would be: C:\Windows\System32\winevt\Logs

    This folder contains many files with the extension evtx. Older versions of Windows had a different format with the extension evt. Windows operating system organizes event log entries among these files. These files are in binary formats and cannot be understood using text editors. Digital forensics applications can parse both the formats. Once the files are parsed, digital forensics applications present the entries in the log in a viewer similar to Windows Event Viewer.

    Following is a shortlist of digital forensics applications that support analyzing contents of Windows Event Log files.

      1. Autopsy (https://www.autopsy.com/)

      2. Belkasoft (https://belkasoft.com/ec)

      3. Encase (https://security.opentext.com/encase-forensic)

      4. FTK (https://accessdata.com/products-services/forensic-toolkit-ftk)

      5. Magnet Forensics (https://www.magnetforensics.com/)

      6. ProDiscover (https://www.prodiscover.com/)

    Each digital forensics product has its particular strengths and by no means a single tool can provide all the required features.

    Hence a digital forensics professional should explore and learn features in different products.

    The following list is not technically digital forensics applications but provides features to explore and analyze Windows Event Logs:

    1. LogParser (https://www.microsoft.com/en-in/download/details.aspx?id=24659)

    2. Event Log Explorer (https://eventlogxp.com/)

    3. LOGAlyze (https://sourceforge.net/software/product/LOGalyze/)

    4. GrayLog (https://www.graylog.org/)

    5. Event Log Check (https://documentation.n-able.com/remote-management/userguide/ Content/eventlogcheck.htm)

  4. WINDOWS EVENT LOG ENTRIES OF INTEREST FOR INVESTIGATORS

    Event IDs of logged events are unique and form the basis for an investigation. Details of events, such as event categories, keywords and operational codes, help in filtering events. Events are also tagged with the user and computer name. These properties are vital in linking an event with the logged-in user. The date and time of the event help in understanding the series of events that are linked to actions of particular applications and the operating system. Event source provides details of the application or operating system service that has logged the event. All these together will help in identifying events that are of value in the investigation.

    Following are some of the important event IDs that can help in digital crime investigations [1]:

    TABLE III. EVENT ID AND DESCRIPTIONS

    Event ID

    Description

    Log Type

    1

    The system time has changed

    System

    19

    Installation Successful Windows update or Definition Update for Windows Defender completed successfully

    System

    20

    Installation Error

    System

    42

    The system is entering sleep (Sleep Reason: Button or Lid)

    System

    43

    Installation Started Windows Update or Definition Update for Windows Defender started

    System

    44

    Windows Update Service started downloading an update

    System

    106

    Task Scheduled

    Windows Task Schedular (Operational)

    200

    Task Executed

    Windows Task Schedular (Operational)

    201

    Task Completed

    Windows Task Schedular (Operational)

    141

    Task Removed

    Windows Task Schedular (Operational)

    1100

    Event logging service shutdown

    Security

    1102

    Audit logs cleared

    Security

    1149

    User successfully authenticated with remote desktop

    Terminal Services

    4000

    Attempted to connected wireless network

    System

    4616

    System time changed

    Security

    4624

    Successful login

    Security

    4624

    Login successful

    Security

    4626

    Login failed

    Security

    4634

    Successful logoff

    Security

    4648

    Login attempted with explicit credentials

    Security

    4648

    A logon attempted using credentials (could be remote access attempted)

    Security

    4688

    A new process created

    Security

    4689

    A process terminated

    Security

    4720

    New user account created

    Security

    4722

    User account enabled

    Security

    4723

    A member added to security-enabled local group

    Security

    4724

    User password reset

    Security

    4728

    A member added to security-enabled global group

    Security

    4776

    Attempted to validate credentials

    Security

    5140

    Network share object accessed

    Security

    6005

    Event log service started

    System

    6006

    Event log service stopped

    System

    6008

    Unexpected system shutdown

    System

    6013

    System uptime

    System

    8194

    Successfully created system restore

    Application

    8216

    System Restore creation skipped

    Application

    8300

    Scoping started for shadow copy

    Application

    8301

    Scoping completed for shadow copy

    Application

    8302

    Scoping successfully completed

    Application

    The above table represents Event IDs of operating-system-level events. Applications may add their specific events with their preferred ranges of Event IDs. Windows allows applications to add Event IDs from 0 to 65535. The documentation of applications should be consulted to understand their event log entries.

      1. Limitations:

    Microsoft primarily uses windows Event Logs to store log entries of Windows and some of its products such as Microsoft Office, SQL Server, etc. Most software applications do not use Windows Event Logs to store their log entries. Even in such cases, the operating system may also store some of the events pertaining to these applications, such as when a process associated with these applications is terminated, etc. The reasons for such events getting into the Windows Event Log are not directly apparent from the logs themselves. They may require further investigation elsewhere in the system, such as the file system entries, registry entries, application-specific logs, etc.

    Investigators should note that event log entries may not contain all the parameters. For example, Kernel Time and User Time are not generally logged by applications and operating systems (that is, its applications and services).

    Some events may not be logged by default and may require additional configuration to switch on logging of these events. For example, by default, Windows does not log events such as locking of the system. The absence of certain event log entries should not be treated as if the events have not taken place.

    Another major challenge for an investigator is processing and analyzing a huge number of events that are being continuously logged [5].

    Malware running on the computer can tamper with events in the event log. Users may also download utilities from the Internet that assist in deleting events. It is tough to identify such scenarios and may require advanced techniques to identify such actions.

  5. CONCLUSION

Event log analysis is more of an art than science. The Event Logs are categorized into different categories such as application, system, and security with different levels of severity. Based on the nature of the investigation, event logs should be filtered, collated and then a timeline of events should be reconstructed. This timeline of events should then be used to correlate with entries in other areas of Windows, such as from the registry, startup actions, etc. This data can then be matched with discoveries made on the file system, such as MAC timestamps and deleted files, to have a complete picture of user actions on the computer. Event log analysis is one piece of the puzzle that should be solved and related to the rest of the evidence available on a computer to understand the user actions on the evidence system comprehensively. Windows Event Logs are also valuable for identifying possible unauthorized access. A thorough analysis of the Windows Event Log and reconstruction of events related to the investigation can strengthen the case [6].

As noted in this paper, Event IDs are available for operating system-level events [2]. Where applications are found to be using the Windows Event Log mechanism, Event IDs and related details of those applications should be obtained to analyze further and reach a logical end.

Windows Event Logs are essential from the digital forensic perspective as they store critical operating system and application events. Though Windows Event Logs have been part of the Windows operating system for more than two decades, their utility in digital forensics has been limited due to its complexity in analysis. A significant challenge is finding investigative value events and utilizing those events to correlate with other data on the computer. It requires an insight into the event log mechanism and significant experience that can only be gained with technical knowledge.

REFERENCES

  1. Webpage: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor

  2. Webpage: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

  3. WebPage: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and- 2008/cc765981(v=ws.11)?redirectedfrom=MSDN

  4. Zeng, L., Xiao, Y., Chen, H., Sun, B., & Han, W. (2016). Computer operating system loggingand security issues: a survey. Secure Communication Networks, 9, 4804-4821.

  5. J. Dwyer and T. M. Truta, "Finding anomalies in windows event logs using standard deviation," 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2013, pp. 563-570, doi: 10.4108/icst.collaboratecom.2013.254136.

  6. Ibrahim N.M., Al-Nemrat A., Jahankhani H., Bashroush R. (2012) Sufficiency of Windows Event Log as Evidence in Digital Forensics. In: Georgiadis C.K., Jahankhani H., Pimenidis E., Bashroush R., Al-Nemrat A. (eds) Global Security, Safety and Sustainability & e-Democracy. e-Democracy 2011, ICGS3 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 99. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33448-1_34

  7. Dashora, K., Tomar, D.S. and Rana, J.L. (2010) A practical approach to evidence gathering in Windows environment, 5 (8), pp.21-27

Leave a Reply

Your email address will not be published. Required fields are marked *