Following on from the thread "Evidence Time Change" where Event Logs were discussed I thought I would start a thread to see if anyone would like to post useful Event Records that they have used in a practical way to support or rebut some evidence in a case.
In trying out "MyEventViewer" from nirsoft I noticed some Event Logs that I was not aware of and could be useful in a case as part of a timeline concerning document editing when taken together with other evidence.
I found that there is now an OSession Log from Microsoft Office 12 which lists every time an Office Application is started, how long the session was, and how long it is active.
"ID 1, Application Name Microsoft Office Excel, Application Version 12.0.6545.5000, Microsoft Office Version 12.0.6425.1000. This session lasted 1418 seconds with 300 seconds of active time. This session ended normally."
H
I thought I would just add one having looked through my logs again.
I have at least six months history from Sophos Anti-Virus where it has identified suspicious files. Every AV product may not record events but it is certainly worth considering in any cases where a virus is an issue.
H
I thought I would just add one having looked through my logs again.
I have at least six months history from Sophos Anti-Virus where it has identified suspicious files. Every AV product may not record events but it is certainly worth considering in any cases where a virus is an issue.
H
In "is there a Trojan or an I just paranoid" investigations I try to parse out application EVTs as well as the logs from the AV products. Really would like a "find log" button or at least an EnScript as each AV vendor has its own personality for logging and it is a bit of a manual hunt each time.
Great find and report though Harry!
I've been able to do some interesting timelineing on a recent job, using the system log to identify when the user connected to t'internet from a 3G dongle, as well as the usual shutdown/restart times. When used in conjunction with the last-incorrect-logon and password-last-changed times from the SAM file, it's opened up a very useful window on a tricky job.
Hey Ben, You tried log2timeline? One word….. Awesome. You'll see all the registry changes as your guy plugs in the dongle, establishes a network connection, internet trafic starts, file activity, all in a contiguous timline. You can't achieve this with EnCase or FTK…. at least without months of work that is.
I've had a go with Log2Timeline and was very impressed - it adds a whole new dimension to an investigation.
I too have been using Windows Event Logs as part of my standard analysis. There is a recent posting over at http//
AV Logs are a different story. I've found the most reliable method to review AV logs specific to a specific anti-virus/malware program is to virtually boot the target machine and review/export the log from within the actual anti-virus/malware program ie AVG. I use FTK3 and Mount Image Pro to mount, and VFC and LiveView to create the VM and spawn the virtual boot process (VM). My only observation is that the logs are sometimes lacking in detail, although some programs will allow you to restore the malware sample to an external drive (which then can be further analyzed - online, or using REM tools).
Any comments/critique are always welcome.
Following on from the thread "Evidence Time Change" where Event Logs were discussed I thought I would start a thread to see if anyone would like to post useful Event Records that they have used in a practical way to support or rebut some evidence in a case.
In trying out "MyEventViewer" from nirsoft I noticed some Event Logs that I was not aware of and could be useful in a case as part of a timeline concerning document editing when taken together with other evidence.
I found that there is now an OSession Log from Microsoft Office 12 which lists every time an Office Application is started, how long the session was, and how long it is active.
"ID 1, Application Name Microsoft Office Excel, Application Version 12.0.6545.5000, Microsoft Office Version 12.0.6425.1000. This session lasted 1418 seconds with 300 seconds of active time. This session ended normally."
H