In Issue 16 of the free (IN)SECURE magazine Rob Faber describes the design and the various features of Microsoft Windows event logging services. His article covers both, the old log of the NT family of kernels and the redesigned event logging services found in Vista and Windows Server 2008.
Do you know the meaning of all the different event ID codes in the security event log of Microsoft Windows NT, 2000, XP and 2003? The Digital Forensics Institute provides you with a cheat sheet of all the codes and their meaning. (via e-evidence.info)
A blog post by Harlan Carvey made me aware of some official documentation of the Event Log Header and EOF structures.
Bill Tydeman reported a new event log on the Windows Forensic Analysis group at Yahoo! and on his new blog. The weird thing is, this log seemingly is not properly configured and the log file is garbled.
GrokEVT is a set of Python scripts for reading Windows Event Log files (.evt) on Unix hosts. New in version 0.4.0 is grokevt-findlogs which carves event records from raw binary data like unallocated clusters or a memory dump.
An article in a German computer magazine recently remined me of a common misconception in event log parsers. Most parsers treat Windows event log files as sequential files - and read them from top to bottom. While this usually works, it might mangle or suppress a single log entry under special circumstances.
Viewing a saved Windows Event Log file on a different system might be unexpectedly difficult. The Event Log Service might refuse to open the file as it appears to be corrupted. In that situation a procedure documented by Stepahn Bunting may provide first aid.
Eric Fitz took the trouble to search the Windows sources for default access control lists of the various event logs. He posted his findings for Windows 2000, XP with Service Pack 2 and Windows Server 2003 in the Windows Auditing Team's blog.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.