Find out if somone ...
 
Notifications
Clear all

Find out if somone have delted files in event log

13 Posts
6 Users
0 Likes
614 Views
(@raider800)
Posts: 5
Active Member
Topic starter
 

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?

 
Posted : 07/12/2017 5:16 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?

Scanario 1 single entries in a Eventlog deleted. This is very unlikely and might only be possible for a highly skilled suspect. Not impossible, but very unlikely.

Scenario 2 an Eventlog is deleted from inside the MMC. In this case, it is easy to find evidence. The first entry in the newly created Eventlog is a record indicating the deletion, together with the username who did it.

Scenario 3 the Eventlog file itself from the C\Windows\System32\winevt\Logs\ folder is deleted. In this case, the deleted file can be carved, if it was not overwritten. It can even be recovered from Volume Shadow Copies if this technology is activated.

best regards, Robin

 
Posted : 07/12/2017 6:06 pm
(@raider800)
Posts: 5
Active Member
Topic starter
 

Hi Robin,

Thanks for info, here is the scenario.
Start the computer, cant remeber exact the time in the morning, and i leave the computer for somone else should fix a excel file.
And now i just wonder if the person have deleted the log time stamp i made when i start the computer this morning and reastart the computer again.
Maybe i even can see a event ID in the log if the person have get in to the log and check so the event he erased really are erased?
The winevt log is still there, not deleted.

Wich event ID number should i look for in the scenario 2 you describe?

Regards

Anders

 
Posted : 07/12/2017 6:19 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?

What makes you even think of that someone has deleted an event log entry?

Also
1. a smart attacker would manipulate it instead of deleting it.
2. a smart organisation would move log entries off system as quickly as possible into a secure domain, and/or keep a running digital signature the logs to detect manipulation/deletion.

 
Posted : 07/12/2017 9:42 pm
(@raider800)
Posts: 5
Active Member
Topic starter
 

I am not sure but i try to sort out if somone have plugged in USB at this time and removed the traces in the event log, and i cant remeber i logged in to the PC at the time the logged have been saved.
So i try to find traces of erased files, i have cloned the hard drive and saved all logs i try to found out what i should look at.
But i supose there is a a lot of work to delete all logs?
Something could be misses in this expected erased of files.

Regards

Anders

 
Posted : 08/12/2017 10:58 am
(@athulin)
Posts: 1156
Noble Member
 

But i supose there is a a lot of work to delete all logs?

To delete log file lines requires file read and write privileges.

To delete log files and replace them with new files requires directory write privileges, at least.

Who has such privileges? Any attempt at creating a possible scenario must take that into account.

I'm not up-to-date about event log files and W10, but it used to be true that event log files were readable, but not directly writeable while Windows was running … unless you had some way to bypass that.

Again, any hypothesis about a deletion scenario would need to take such difficulties into account.

You have not said anything about what log lines you suspect to have been erased, and you reasons for thinking so. Do you know (repeat, *know*) that those lines were present? I've drawn some very far-fetched conclusions on the absence of some lines from a Microsoft FTP log (they were numbered, and a sequence of them were missing) … only to have them quashed by Microsoft support who told me that some connections did get a number, but were never logged, and so would appear to be missing from FTP log.

 
Posted : 08/12/2017 4:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What makes you even think of that someone has deleted an event log entry?

Good question.

Also
1. a smart attacker would manipulate it instead of deleting it.

Interesting. I've worked targeted threat investigations for a number of years now, and in many cases, found that not only were Windows Event Logs not touched, but that batch files and tools were left behind. In one case in particular, the bad guy collected the names of all of the active systems on the network and used a batch file to push out and launch mimikatz, and then retrieve the resulting files from each system. We had a complete set of data…all the systems available, and 'dir /b' gave us all the systems on which the command worked and from which result files were pulled.

This adversary had unfettered access to the network for months before anyone knew they were there.

About 20 months ago, I was looked at the data for about half a dozen ransomware engagements that came into our organization. In every one of the cases, JBoss was exploited using JexBoss…the adversary never changed the file names. In 4 cases, the adversary downloaded, installed and ran Hyena, a network scanner. A very noisy network scanner. The mean time between initial access to the infrastructure and pushing out Samas ransomware to specific, targeted systems (at the time) was about 4 months. Four months without being detected.

My point is that what we say a lot of times isn't necessarily grounded in actual data. Yes, a "smart attacker" would do that…from our perspective. But why bother if you don't have to?

 
Posted : 09/12/2017 12:12 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It seems to me like everyone has gone astray following their own unrelated train of thoughts. 😯

Reportedly the OP switched on/logged in his PC and then allowed someone to use it in order to fix an Excel file.

There is seemingly no evil hacker, no corporate network attack, no ransomware deployed.

The ID of the person that was given (local) access to the PC is (or should be) known

The OP failed to mention WHY he thinks that the event logs were fiddled with (and WHY the person would have had any reason to do that).

In any case, deleting (more properly "emptying") a system log is trivial (given that the OP login granted the corresponding permissions as Administrator or similar) while manipulating it (removing just one or more entries) is far from it.

Usually events 6005, 6009 in System log determine the time the system was started.
Event 6013 won't normally be there as it is usually logged every 24 hours.
Event 6006 means the system was shutdown.

jaclaz

 
Posted : 09/12/2017 2:11 pm
(@raider800)
Posts: 5
Active Member
Topic starter
 

Thanks for info.

Here is the scenario, i use an USB flash and i cant remember if i remove this USB flash, i know afterward there is a mig for USB flash but this must bet activated manually.
However this USB are hidden by the screen so it is impossible to see from the screen side, so approx a week later i discover the USB in the PC and just wonder if i forgot it or i have remove it and drop it somwhere and somone else have put in in my PC again, i know it sounds madness.

So i start to test if i put in the USB flash when PC is off and after the insert start up the PC i got event ID 219 and a frame work ID number (cant remeber) in the system log, and if the AUSB comes in when PC is on there is a lot of more event logged.

I have check the loggs between this two dates and the ID event record numbers comes in order, so i just wonder fore more tip what i can check, so e more ID event wich could be traces from erased files.

Could there specific traces if this will performed by network?

 
Posted : 09/12/2017 4:21 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thanks for info.

Here is the scenario, i use an USB flash and i cant remember if i remove this USB flash, i know afterward there is a mig for USB flash but this must bet activated manually.

I can understand - maybe - half of your explanation.

What (the heck) is "a mig for USB flash"? 😯

However this USB are hidden by the screen so it is impossible to see from the screen side, so approx a week later i discover the USB in the PC and just wonder if i forgot it or i have remove it and drop it somwhere and somone else have put in in my PC again, i know it sounds madness.

So i start to test if i put in the USB flash when PC is off and after the insert start up the PC i got event ID 219 and a frame work ID number (cant remeber) in the system log, and if the AUSB comes in when PC is on there is a lot of more event logged.

"Hidden from the screen" means "not mounted" or "not visible in explorer"?

Now it seems like you don't really want to know if someone deleted a log entry but rather want to look at "USB history", check what USDeview can see
http//www.nirsoft.net/utils/usb_devices_view.html

And/or
https://sourceforge.net/projects/smallusbhistory/

Only useful for next time, have USBLogView running
http//www.nirsoft.net/utils/usb_log_view.html

jaclaz

 
Posted : 09/12/2017 9:04 pm
Page 1 / 2
Share: