On Windows systems, event logs contains a lot of useful information about the system and its users.
Depending on the logging level enabled and the version of Windows installed, event logs can provide investigators with details about applications, login timestamps for users and system events of interest.
According to the version of Windows installed on the system under investigation, the number and types of events will differ:
In fact, the events logged by a Windows XP machine may be incompatible with an event log analysis tool designed for Windows 8.
For example, Event ID 551 on a Windows XP machine refers to a logoff event; the Windows Vista/7/8 equivalent is Event ID 4647.
Windows XP events can be converted to Vista events by adding 4096 to the Event ID.
Windows versions since Vista include a number of new events that are not logged by Windows XP systems.
Windows Server editions have larger numbers and types of events.
Thus, the exact version of the Windows system must be considered very carefully when developing a digital forensic process centered on event logs
By default, a Windows system is set to log a limited number of events, but it can be modified to include actions such as file deletions and changes.
The default locations of Windows event logs are typically:
Windows 2000/Server2003/Windows XP:
%SystemRoot%\System32\Config\*.evt
Windows Vista/7/Server2008:
%SystemRoot%\System32\winevt\Logs\*.evtx
This can be changed by a user by modifying the File value of the following registry keys in HKEY LOCAL MACHINE (HKLM) on the local machine:
Application Events:
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application
Hardware Events:
HKLN\SYSTEM\CurrentControlSet\services\eventlog\HardwareEvents
Security Events:
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security
System Events:
HKLM\SYSTEM\CurrentControlSet\services\eventlog\System
When a custom path is used, a key is generated at the registry location:
HKLM\Microsoft\Windows\CurrentVersion\WINEVT\Channels\[logname]
(e.g., Microsoft-Windows-Audio\CaptureMonitor)
Useful events for forensics analysis
<a href="https://medium.com/media/f54052dd2a7ddd712f8557153d3dc8b7/href">https://medium.com/media/f54052dd2a7ddd712f8557153d3dc8b7/href</a>Logon Type Codes
One of the useful information that Successful/Failed Logon event provide is how the user/process tried to logon (Logon Type) but Windows display this information as a number and here is a list of the logon type and their explanation:
<a href="https://medium.com/media/527dd845e1bdbc3796c8c5d075313479/href">https://medium.com/media/527dd845e1bdbc3796c8c5d075313479/href</a>Useful tools
Log Parser
Tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.
https://www.microsoft.com/en-us/download/details.aspx?id=24659
python-evtx
Python parser for recent Windows Event Log files (.evtx).
EvtxParser
A parser framework for Microsoft Windows Vista event log files in their native binary (.evtx) format.
Vista event log: "Evtx Parser Version 1.1.1" - Computer Forensic Blog
References
<a href="https://medium.com/media/37c80a70ab8fa0ef2184cfc0f2a3da67/href">https://medium.com/media/37c80a70ab8fa0ef2184cfc0f2a3da67/href</a>Windows event logs in forensic analysis was originally published in So Long, and Thanks for All the Fish on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: https://andreafortuna.org/windows-event-logs-in-forensic-analysis-d80e2a134fdd?source=rss----bf18ac17f001---4