What are some of your techniques to determine who cleared the event logs on a device when this information is not in the Security Log? On a related note, is there any way to recover these logs without taking a full image?
Thanks.
Thanks for posting this question, Jaysp. Is it that the log is empty, or is it that you expected to see earlier entries in the file than you are finding?
In the case of the latter, could it be that there is a quota set on the size of the logs? I've encountered this on many occasions where there's a small size limit on the file. This forces the log to overwrite earlier entries automatically when it reaches a certain size.
Depending on what OS, you may have log files in Shadow Volumes. Generally you'll want a full disk image to recover shadow volumes. I'll be discussing the methodology for this at Techno Forensics next week in Gaithersburg MD.
If you have a date and time as to when the log was cleared, you can look at other activity on the computer to determine what account was logged on at the time.
It may be possible to recover deleted event log records from unallocated space.
I can never tell who cleared the log, but I maybe able to tell what account was used to clear the log, as gkelley described it.
Thanks for posting this question, Jaysp. Is it that the log is empty, or is it that you expected to see earlier entries in the file than you are finding?
The log was cleared. The security log says the user is the SYSTEM account (they elevated). I'm after the actual account that was on the device when it was cleared.
Depending on what OS, you may have log files in Shadow Volumes. Generally you'll want a full disk image to recover shadow volumes.
The OS is XP. Would it be possible to recover by mounting a shadow drive without having to do a full backup?
If you have a date and time as to when the log was cleared, you can look at other activity on the computer to determine what account was logged on at the time.
It may be possible to recover deleted event log records from unallocated space.
What activity would you recommend looking for?
Thanks!
You are trying to recover deleted data, why would you do anything other than a full image?
When I mentioned the account logged on, I wasn't talking about what is reported in the logs. I'm talking about looking at activity on the computer to determine which account was logged in. A timeline of activity of data underneath the profile directories would be a good start as well as registry key modification dates in the NTUser.dat files.
You are trying to recover deleted data, why would you do anything other than a full image?
Suffice it to say that this is not feasible in this instance.
I'd atleast try to capture the partition on which the event logs resided. You can just recover the restore points but I do not believe that the event logs are stored there for XP. Chances are that unallocated clusters is going to be your target for recovery.