Hello
I am trying to view log files to determine when administrator password was changed, I am also looking for IP information from remote access to the computer. I'm using EnCase v6, I'm attempting to view security log file(from an XP computer on my analysis computer with XP). I have copied unerased the secevent.evt file from EnCase and used Event viewer. I get an error that says "parameter is incorrect". I also tried the same in Windows 7 and got an error.
I'm looking for any suggestion on how to view this file? or any suggestion/correction on what I've done so far.
Thanks
You should try Log Parser Lizard which is a GUI for MS Logparser.
Hello
I have copied unerased the secevent.evt file from EnCase and used Event viewer. I get an error that says "parameter is incorrect". I also tried the same in Windows 7 and got an error.
The same error? Or another one?
Event logs are always open, so if you image a system live or don't shut it down properly prior to image, you will get an incorrect event log (a bit in the header says it wasn't closed properly) , which some tools – such as Event viewer – will complain about. Alternatively, if the log becomes damaged, it may stay unopened, and log entries will simply be lost. If this is the problem, tools like Event viewer will fail, and you either need to fix the log file header information, or use a forensic tool that can ignore this problem.
Or … it could be an interpretation problem. Event log files only contain the basic data – all the clarifying text is obtained from message files (.DLL files), that are linked to the event source through registry information. For Event logger (and similar tools) to provide normal event log text, they need the message file that goes with the module that has produced the log entry. If there isn't one, you typically get an error message. If there is one, but it isn't the right one – you may get the kind of error you mention.
That is, .evt logs should be interpreted in the context of the system itself. If you extract an .evt log to a different system, you also need to ensure that the message file is extracted, or that you indeed have the same message file on the system you use for the analysis.
EnCase does all this for you – it uses the message files in the image.
If you use some external tool, make sure it doesn't try to pick up text from the message files, unless you have ensured that it will be OK to do so. If you know the event ID, you can usually go by that to locate the relevant log entry. Even so, you must realize that you really need to know what the message file contains if it says '<user_account> successfully changed password', or if it says '<user account> failed to change password' , for example. You can't always trust the status code of the log entry – in some cases a 'failed' operation is logged as a 'successful' log entry. And EventIDs do also change occasionally.
More details on the "dirty" byte
http//
http//
jaclaz
Thank you guys for the help. When I get back to the office I will work on this some more.