±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33165
New Yesterday: 2 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Find out if somone have delted files in event log

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Find out if somone have delted files in event log

Post Posted: Thu Dec 07, 2017 11:16 am

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?  

Raider800
Newbie
 
 
  

Re: Find out if somone have delted files in event log

Post Posted: Thu Dec 07, 2017 12:06 pm

- Raider800
Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?


Scanario 1: single entries in a Eventlog deleted. This is very unlikely and might only be possible for a highly skilled suspect. Not impossible, but very unlikely.

Scenario 2: an Eventlog is deleted from inside the MMC. In this case, it is easy to find evidence. The first entry in the newly created Eventlog is a record indicating the deletion, together with the username who did it.

Scenario 3: the Eventlog file itself from the C:\Windows\System32\winevt\Logs\ folder is deleted. In this case, the deleted file can be carved, if it was not overwritten. It can even be recovered from Volume Shadow Copies if this technology is activated.

best regards, Robin  

Bunnysniper
Senior Member
 
 
  

Re: Find out if somone have delted files in event log

Post Posted: Thu Dec 07, 2017 12:19 pm

Hi Robin,

Thanks for info, here is the scenario.
Start the computer, cant remeber exact the time in the morning, and i leave the computer for somone else should fix a excel file.
And now i just wonder if the person have deleted the log time stamp i made when i start the computer this morning and reastart the computer again.
Maybe i even can see a event ID in the log if the person have get in to the log and check so the event he erased really are erased?
The winevt log is still there, not deleted.

Wich event ID number should i look for in the scenario 2 you describe?

Regards

Anders  

Raider800
Newbie
 
 
  

Re: Find out if somone have delted files in event log

Post Posted: Thu Dec 07, 2017 3:42 pm

- Raider800
Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?



What makes you even think of that someone has deleted an event log entry?

Also:
1. a smart attacker would manipulate it instead of deleting it.
2. a smart organisation would move log entries off system as quickly as possible into a secure domain, and/or keep a running digital signature the logs to detect manipulation/deletion.  

MDCR
Senior Member
 
 
  

Re: Find out if somone have delted files in event log

Post Posted: Fri Dec 08, 2017 4:58 am

I am not sure but i try to sort out if somone have plugged in USB at this time and removed the traces in the event log, and i cant remeber i logged in to the PC at the time the logged have been saved.
So i try to find traces of erased files, i have cloned the hard drive and saved all logs i try to found out what i should look at.
But i supose there is a a lot of work to delete all logs?
Something could be misses in this expected erased of files.

Regards

Anders  

Raider800
Newbie
 
 
  

Re: Find out if somone have delted files in event log

Post Posted: Fri Dec 08, 2017 10:21 am

- Raider800
But i supose there is a a lot of work to delete all logs?


To delete log file lines requires file read and write privileges.

To delete log files and replace them with new files requires directory write privileges, at least.

Who has such privileges? Any attempt at creating a possible scenario must take that into account.

I'm not up-to-date about event log files and W10, but it used to be true that event log files were readable, but not directly writeable while Windows was running ... unless you had some way to bypass that.

Again, any hypothesis about a deletion scenario would need to take such difficulties into account.

You have not said anything about what log lines you suspect to have been erased, and you reasons for thinking so. Do you know (repeat, *know*) that those lines were present? I've drawn some very far-fetched conclusions on the absence of some lines from a Microsoft FTP log (they were numbered, and a sequence of them were missing) ... only to have them quashed by Microsoft support who told me that some connections did get a number, but were never logged, and so would appear to be missing from FTP log.  

athulin
Senior Member
 
 
  

Re: Find out if somone have delted files in event log

Post Posted: Sat Dec 09, 2017 6:12 am

- MDCR

What makes you even think of that someone has deleted an event log entry?


Good question.

- MDCR

Also:
1. a smart attacker would manipulate it instead of deleting it.


Interesting. I've worked targeted threat investigations for a number of years now, and in many cases, found that not only were Windows Event Logs not touched, but that batch files and tools were left behind. In one case in particular, the bad guy collected the names of all of the active systems on the network and used a batch file to push out and launch mimikatz, and then retrieve the resulting files from each system. We had a complete set of data...all the systems available, and 'dir /b' gave us all the systems on which the command worked and from which result files were pulled.

This adversary had unfettered access to the network for months before anyone knew they were there.

About 20 months ago, I was looked at the data for about half a dozen ransomware engagements that came into our organization. In every one of the cases, JBoss was exploited using JexBoss...the adversary never changed the file names. In 4 cases, the adversary downloaded, installed and ran Hyena, a network scanner. A very noisy network scanner. The mean time between initial access to the infrastructure and pushing out Samas ransomware to specific, targeted systems (at the time) was about 4 months. Four months without being detected.

My point is that what we say a lot of times isn't necessarily grounded in actual data. Yes, a "smart attacker" would do that...from our perspective. But why bother if you don't have to?  

keydet89
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next