Windows Event Logs in Digital Forensics

One of the many log sources on windows computers are Event Logs. This blog post discusses what windows Event Logs are and their significance in digital forensics.

What are Windows Event Logs?

Windows Event Logs offer a centralized logging mechanism for recording logs generated by the operating system and applications. Logs or events are collected by the Event Logging Service and stored across multiple categories.

Categories of Event Logs

System: Logs relevant to system events like system reboots, service start/stop, system updates, driver use/changes, etc. can be found in this category of event logs.

Security: Logs relevant to system logon by users/applications (successful or failed logons), access control, security settings, etc. can be found here.

Application: Logs generated by applications like security center, volume shadow copy service, web browser, disk manager, etc. can be found here.

Custom: The administrator can set up windows event logging for specific applications or services.

The following screenshot shows the various categories of logs on a system. The event logs can be viewed using Event Viewer application, that is available on all Windows systems by default.

alt text

Information in a single log

Within a single log entry, several fields of information are stored. Some of them are:

  • Timestamp of when the event occurred
  • Name of the application/service that generated this log
  • Description of the log
  • Description of other systems/resources involved in the activity (other systems on the network, printers, etc.)
  • Event ID assigned to the type of event
  • User account involved in the event

Let’s talk about the Event ID. This is a value designated by Windows for specific events. Here are some examples:

  • Event ID 7045 signifies service creation
  • Event ID 4720 signifies creation of a user account
  • Event ID 4624 signifies successful logon
  • Event ID 4625 signifies failed logon

Every log entry also has a level associated with it:

Information: This level is assigned to a log after the successful operation of a service or application. Eg: when a service starts or stops

Warning: This level is assigned to a log when it indicates a potential problem in the future. Eg: when there is minor misconfiguration or when there is low disk space

Error: This level is assigned to a log when it indicates a severe failure of some kind, that requires immediate attention. Eg: a log indicating failure of software license activation

The following screenshot is an event log entry within System log. It has been generated on April 11th 2022, at 4:37 hours. The entry provides information that the state of a volume formatted as NTFS is healthy.

alt text

Where can Event Logs be found?

Although Event Logs can be viewed using the Event Viewer application, the files are stored on a specific location on disk.

Prior to Windows Vista, event logs were stored in %SYSTEMROOT%\System32\Config with the extension .evt.

On latest versions of Windows, event logs can be found in %SYSTEMROOT%\System32\winevt\Logs with the extension .evtx.

By default, event logs are stored in the paths described above. However, the paths can be customized by modifying specific registry keys at HKLM\SYSTEM\CurrentControlSet\Services\EventLog.

The maximum size of a single event log can be configured by the system administrator. Depending on the log size and how much a system is being used, you can encounter logs dating back days or even months.

How are Windows Event Logs useful in Digital Forensics?

Event Logs are an extremely valuable resource during a forensic investigation. It provides a window into most of the activities that had taken place on a system recently.

If you have the forensic image of the C: drive of a computer, then you can find the event logs within the configured location. The logs can be extracted and parsed for evidence. From a live system, event logs can be extracted by simply copying the .evtx files to the investigator’s storage device. The acquired .evtx files can be processed using tools like LogParser, Event Log Explorer, LOGAlyze, etc.

Even within a memory dump, it is possible to find event logs that had been generated recently. Event logs can be carved from a memory dump using tools like EVTXtract.

Some organizations may configure event logs to be processed by log analytics tools to be able to visualize the logs better.

When you are parsing the event logs during an investigation, you must remember to take into account the time zone the device had been operating in. Most forensic tools capable of parsing event logs also provide the capability to perform time correction.

Project Idea

Here’s a project idea for you.

  1. Execute some commands using Command Prompt and PowerShell
  2. See if you spot event log entries within Application logs and PowerShell logs relevant to the commands you typed
  3. Temporarily disable Windows Defender
  4. See if you can spot event log entries relevant to Windows Defender. What is the ‘level’ assigned to the log entry? Which application has generated this log entry?

The ability to interpret Windows Event Logs is a valuable skill for a digital forensic investigator.

Want to learn practical Digital Forensics and Incident Response skills? Enrol in MCSI’s MDFIR - Certified DFIR Specialist Certification Programme