Windows VISTA Event...
 
Notifications
Clear all

Windows VISTA Event LOG - How to disable it???

12 Posts
5 Users
0 Likes
479 Views
pajkow
(@pajkow)
Posts: 81
Estimable Member
Topic starter
 

Hi Folks!

As you are aware one of the best Counter Forensics methods is disabling the logs in before the penetration of the activity so the examiner will not have a use of the logs as the will no exist! How can we DISABLE EVENT LOGGING IN VISTA Platform?

Also I’m not a server expert but it would’ve been very helpful to know how to effectively disable logs in Server 2003/ 2008 if possible.

Many thanks

Sam D

 
Posted : 15/10/2008 3:12 pm
ecophobia
(@ecophobia)
Posts: 127
Estimable Member
 

Hi Folks!

As you are aware one of the best Counter Forensics methods is disabling the logs in before the penetration of the activity so the examiner will not have a use of the logs as the will no exist! How can we DISABLE EVENT LOGGING IN VISTA Platform?

Also I’m not a server expert but it would’ve been very helpful to know how to effectively disable logs in Server 2003/ 2008 if possible.

Many thanks

Sam D

May be it’s just me,
But I tend to become a little bit paranoid when I come across people asking lots of “interesting” questions on various forensic and computer security forums without demonstrating some industry knowledge that may indicate at which side of what barricade this person currently is. This is also true when such person doesn’t reveal much about himself or about his/her academic institution.

 
Posted : 17/10/2008 5:52 am
(@tomforman)
Posts: 29
Eminent Member
 

Hi Folks!

As you are aware one of the best Counter Forensics methods is disabling the logs in before the penetration of the activity so the examiner will not have a use of the logs as the will no exist! How can we DISABLE EVENT LOGGING IN VISTA Platform?

Also I’m not a server expert but it would’ve been very helpful to know how to effectively disable logs in Server 2003/ 2008 if possible.

Many thanks

Sam D

May be it’s just me,
But I tend to become a little bit paranoid when I come across people asking lots of “interesting” questions on various forensic and computer security forums without demonstrating some industry knowledge that may indicate at which side of what barricade this person currently is. This is also true when such person doesn’t reveal much about himself or about his/her academic institution.

Agreed,

Anyone else or does that actually sound like "How can i disable the event logging so i wont get caught doing something i should be doing"

It might just be me though.

 
Posted : 17/10/2008 4:53 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

As you are aware one of the best Counter Forensics methods is disabling the logs in before the penetration of the activity so the examiner will not have a use of the logs as the will no exist!

Ha! You keep thinking that! There are plenty of means of performing analysis without the use of the Event Logs…in fact, a good number of my own examinations do not rely on the Event Logs due to (a) auditing not being enabled, and (b) I simply find more information than I really need *before* even considering the Event Logs.

This is not to say that the Event Logs should not be considered as a source of data…however, a lack of Event Logs is a "counter forensic method" that targets only the most junior analysts.

 
Posted : 17/10/2008 5:27 pm
(@tomforman)
Posts: 29
Eminent Member
 

I wasnt denying that, and i totally agree with what your saying. however I still agree with ecophobia's original statement.

And now i've just realised that you weren't talking about my quote. Which was also a junior mistake.

/me goes to get some more coffee

 
Posted : 17/10/2008 5:59 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I wasnt denying that, and i totally agree with what your saying. however I still ecophobia's original statement.

Assuming you meant to say "agree with" ecophobia's original statement, I hear ya. However, there are a LOT of folks out there who use that excuse to not share anything at all, which is something that simply hurts the community as a whole.

 
Posted : 17/10/2008 6:05 pm
(@tomforman)
Posts: 29
Eminent Member
 

I honestly appreciate your point. And i'm not using it as a reason not to share information. Maybe more information about what pajkow is trying to achieve overall would help. And make people more confortable with sharing information.

As in my opinion, i feel from the original post, pajkow is simply saying "this is the best methof of counter forensics" (personally i dont beleive) and before i attempt this, can all you experts (exluding myself from the expert group) just quantify how effective this is.

It might be just me however, feel free to disagree.

 
Posted : 17/10/2008 6:12 pm
(@spawn)
Posts: 34
Eminent Member
 

Putting aside the reasoning for now…

Most event log entries are managed by the EventLog service but you cannot stop it…

C\TEMP>sc query Eventlog

SERVICE_NAME Eventlog
TYPE 20 WIN32_SHARE_PROCESS
STATE 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE 0 (0x0)
SERVICE_EXIT_CODE 0 (0x0)
CHECKPOINT 0x0
WAIT_HINT 0x0

C\TEMP>sc stop Eventlog
[SC] ControlService FAILED 1052

The requested control is not valid for this service.

C\TEMP>

Ok sure you could kill it but as I used to say "results will be unpredictable" because everything that will cause events to be logged, either by the system or an application, will fail.

Summary you cannot stop the event log and IMHO you shouldn't. After all why would you?

 
Posted : 20/10/2008 3:15 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Halting the Event Log service is one thing. Disabling what is audited and logged is another thing entirely.

 
Posted : 20/10/2008 4:26 pm
(@spawn)
Posts: 34
Eminent Member
 

Granted but the question was to stop event logging.

Auditing is not generally enabled by default on most installations and even then this data is placed in the Security Event log. This is controlled by either local or group policy.

Check out "HOW TO" audit at support.microsoft.com. For the most paranoid organisations http//support.microsoft.com/?id=232564 is used.

 
Posted : 20/10/2008 5:33 pm
Page 1 / 2
Share: