Find out if somone ...
 
Notifications
Clear all

Find out if somone have delted files in event log

Raider800
(@raider800)
New Member

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?

Quote
Topic starter Posted : 07/12/2017 5:16 pm
Bunnysniper
(@bunnysniper)
Active Member

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?

Scanario 1 single entries in a Eventlog deleted. This is very unlikely and might only be possible for a highly skilled suspect. Not impossible, but very unlikely.

Scenario 2 an Eventlog is deleted from inside the MMC. In this case, it is easy to find evidence. The first entry in the newly created Eventlog is a record indicating the deletion, together with the username who did it.

Scenario 3 the Eventlog file itself from the C\Windows\System32\winevt\Logs\ folder is deleted. In this case, the deleted file can be carved, if it was not overwritten. It can even be recovered from Volume Shadow Copies if this technology is activated.

best regards, Robin

ReplyQuote
Posted : 07/12/2017 6:06 pm
Raider800
(@raider800)
New Member

Hi Robin,

Thanks for info, here is the scenario.
Start the computer, cant remeber exact the time in the morning, and i leave the computer for somone else should fix a excel file.
And now i just wonder if the person have deleted the log time stamp i made when i start the computer this morning and reastart the computer again.
Maybe i even can see a event ID in the log if the person have get in to the log and check so the event he erased really are erased?
The winevt log is still there, not deleted.

Wich event ID number should i look for in the scenario 2 you describe?

Regards

Anders

ReplyQuote
Topic starter Posted : 07/12/2017 6:19 pm
MDCR
 MDCR
(@mdcr)
Active Member

Hi,

I need some help to find out if somone have erased some log event files in Win 10, so wich thing should o start to looking for?

What makes you even think of that someone has deleted an event log entry?

Also
1. a smart attacker would manipulate it instead of deleting it.
2. a smart organisation would move log entries off system as quickly as possible into a secure domain, and/or keep a running digital signature the logs to detect manipulation/deletion.

ReplyQuote
Posted : 07/12/2017 9:42 pm
Raider800
(@raider800)
New Member

I am not sure but i try to sort out if somone have plugged in USB at this time and removed the traces in the event log, and i cant remeber i logged in to the PC at the time the logged have been saved.
So i try to find traces of erased files, i have cloned the hard drive and saved all logs i try to found out what i should look at.
But i supose there is a a lot of work to delete all logs?
Something could be misses in this expected erased of files.

Regards

Anders

ReplyQuote
Topic starter Posted : 08/12/2017 10:58 am
athulin
(@athulin)
Community Legend

But i supose there is a a lot of work to delete all logs?

To delete log file lines requires file read and write privileges.

To delete log files and replace them with new files requires directory write privileges, at least.

Who has such privileges? Any attempt at creating a possible scenario must take that into account.

I'm not up-to-date about event log files and W10, but it used to be true that event log files were readable, but not directly writeable while Windows was running … unless you had some way to bypass that.

Again, any hypothesis about a deletion scenario would need to take such difficulties into account.

You have not said anything about what log lines you suspect to have been erased, and you reasons for thinking so. Do you know (repeat, *know*) that those lines were present? I've drawn some very far-fetched conclusions on the absence of some lines from a Microsoft FTP log (they were numbered, and a sequence of them were missing) … only to have them quashed by Microsoft support who told me that some connections did get a number, but were never logged, and so would appear to be missing from FTP log.

ReplyQuote
Posted : 08/12/2017 4:21 pm
keydet89
(@keydet89)
Community Legend

What makes you even think of that someone has deleted an event log entry?

Good question.

Also
1. a smart attacker would manipulate it instead of deleting it.

Interesting. I've worked targeted threat investigations for a number of years now, and in many cases, found that not only were Windows Event Logs not touched, but that batch files and tools were left behind. In one case in particular, the bad guy collected the names of all of the active systems on the network and used a batch file to push out and launch mimikatz, and then retrieve the resulting files from each system. We had a complete set of data…all the systems available, and 'dir /b' gave us all the systems on which the command worked and from which result files were pulled.

This adversary had unfettered access to the network for months before anyone knew they were there.

About 20 months ago, I was looked at the data for about half a dozen ransomware engagements that came into our organization. In every one of the cases, JBoss was exploited using JexBoss…the adversary never changed the file names. In 4 cases, the adversary downloaded, installed and ran Hyena, a network scanner. A very noisy network scanner. The mean time between initial access to the infrastructure and pushing out Samas ransomware to specific, targeted systems (at the time) was about 4 months. Four months without being detected.

My point is that what we say a lot of times isn't necessarily grounded in actual data. Yes, a "smart attacker" would do that…from our perspective. But why bother if you don't have to?

ReplyQuote
Posted : 09/12/2017 12:12 pm
jaclaz
(@jaclaz)
Community Legend

It seems to me like everyone has gone astray following their own unrelated train of thoughts. 😯

Reportedly the OP switched on/logged in his PC and then allowed someone to use it in order to fix an Excel file.

There is seemingly no evil hacker, no corporate network attack, no ransomware deployed.

The ID of the person that was given (local) access to the PC is (or should be) known

The OP failed to mention WHY he thinks that the event logs were fiddled with (and WHY the person would have had any reason to do that).

In any case, deleting (more properly "emptying") a system log is trivial (given that the OP login granted the corresponding permissions as Administrator or similar) while manipulating it (removing just one or more entries) is far from it.

Usually events 6005, 6009 in System log determine the time the system was started.
Event 6013 won't normally be there as it is usually logged every 24 hours.
Event 6006 means the system was shutdown.

jaclaz

ReplyQuote
Posted : 09/12/2017 2:11 pm
Raider800
(@raider800)
New Member

Thanks for info.

Here is the scenario, i use an USB flash and i cant remember if i remove this USB flash, i know afterward there is a mig for USB flash but this must bet activated manually.
However this USB are hidden by the screen so it is impossible to see from the screen side, so approx a week later i discover the USB in the PC and just wonder if i forgot it or i have remove it and drop it somwhere and somone else have put in in my PC again, i know it sounds madness.

So i start to test if i put in the USB flash when PC is off and after the insert start up the PC i got event ID 219 and a frame work ID number (cant remeber) in the system log, and if the AUSB comes in when PC is on there is a lot of more event logged.

I have check the loggs between this two dates and the ID event record numbers comes in order, so i just wonder fore more tip what i can check, so e more ID event wich could be traces from erased files.

Could there specific traces if this will performed by network?

ReplyQuote
Topic starter Posted : 09/12/2017 4:21 pm
jaclaz
(@jaclaz)
Community Legend

Thanks for info.

Here is the scenario, i use an USB flash and i cant remember if i remove this USB flash, i know afterward there is a mig for USB flash but this must bet activated manually.

I can understand - maybe - half of your explanation.

What (the heck) is "a mig for USB flash"? 😯

However this USB are hidden by the screen so it is impossible to see from the screen side, so approx a week later i discover the USB in the PC and just wonder if i forgot it or i have remove it and drop it somwhere and somone else have put in in my PC again, i know it sounds madness.

So i start to test if i put in the USB flash when PC is off and after the insert start up the PC i got event ID 219 and a frame work ID number (cant remeber) in the system log, and if the AUSB comes in when PC is on there is a lot of more event logged.

"Hidden from the screen" means "not mounted" or "not visible in explorer"?

Now it seems like you don't really want to know if someone deleted a log entry but rather want to look at "USB history", check what USDeview can see
http//www.nirsoft.net/utils/usb_devices_view.html

And/or
https://sourceforge.net/projects/smallusbhistory/

Only useful for next time, have USBLogView running
http//www.nirsoft.net/utils/usb_log_view.html

jaclaz

ReplyQuote
Posted : 09/12/2017 9:04 pm
MDCR
 MDCR
(@mdcr)
Active Member

Also
1. a smart attacker would manipulate it instead of deleting it.

My point is that what we say a lot of times isn't necessarily grounded in actual data. Yes, a "smart attacker" would do that…from our perspective. But why bother if you don't have to?

Because everyone isn't sitting safe in a southeast asian country with a non cooperative law enforcement and they actually have to care about opsec, especially when going after more alert targets that do record pcaps of every bit going in and out of the network.

Don't get me wrong, i've seen similarly noisy attacks as you describe, but attackers slowly learn and evolve, and DFIR has to evolve with it and from what i read about blueteams in general is that they have much more on their todo list to catch up, and attacks as you say go unnoticed for months or even years.

ReplyQuote
Posted : 10/12/2017 3:57 pm
Raider800
(@raider800)
New Member

I mean the USB flash are impossible to see from the side i look at the monitor screen, so it is easy to forgot to remove it, impossible to see with eyes, the monitor hidde it.

There is sensitives info on the USB flash, so that is the reason i search if somone have erased som traces from the log, have already tryed the program you send the link to.

So i just want to get some tip wich things i should look at, typically traces wich occur in this case.

Is that impossible to see if some log file is overwritten?

ReplyQuote
Topic starter Posted : 10/12/2017 3:59 pm
jaclaz
(@jaclaz)
Community Legend

Is that impossible to see if some log file is overwritten?

No, but - with all due respect - you seem like either needing a tin foil hat 😯 or some new, solid, security procedures AND a deeper approach to incident response.

If you have the kind of sensible information that may require protection, you should have implemented far better safety/security measures/protocols to avoid the risk of "I may have forgotten …" and (as suggested as an example) add to the system specific USB logging, and of course not even think of leaving anyone, ever, with a local access to the machine unsupervised (or not filmed).

A relative little number of people may be aware of methods to delete (actually to de-index) an event in a system log, I doubt that any of them were after you, as it is not easy-peasy or particularly reknown. however the good (fresh) news are that it is possible to check for the integrity of the logs
https://www.forensicfocus.com/Forums/viewtopic/t=16137/

Also, I still don't understand the details of the incident, but if you left unattended the actual USB stick (i.e. you are not sure on its whereabouts for one week) it is more probable that it was read/copied on another computer as it would have been simpler.

More generally - if you suspect any non-authorized activity on your PC - the "advised" procedure is NOT that of checking "just" the system logs (or this or that particular thing), but rather that of doing a complete timeline of all the activities on the system.

jaclaz

ReplyQuote
Posted : 11/12/2017 12:44 pm
Share: