Notifications
Clear all

Windows EVENT logs.

4 Posts
3 Users
0 Likes
230 Views
(@gideon)
Posts: 2
New Member
Topic starter
 

The event log modified and creation dates are not altered by Microsoft during event registrations.

Thus any backup realized by daily backups are futile. At least incremental backups performed with IBM (TSM)Tivoli solutions.

So to side step this problem I have implemented the following workaround and would like to hear the views of the forum regarding this.

1. Daily effect a backup copy of the *.evt files which whilst open by the system permit a DOS based copy.

copy /b secevent.evt +NULL backup\secevent.evt

The said command adds NULL to the file which results in a "new" file all be it only with a new date and the rest being identical to the original file.

2. The said file is then included in the daily backups which then works as there is a modified date change.

3. The file can later be restored and for analysis requires a byte alteration in file offset 36, the 09 must be altered to 08.

Questions/Statements.
1. The forensic evidence is intact as a standard system procedure (Copy) is performed on the evidence.
2. The alteration of the file for analysis is done on a restored copy and the original by virtue of its structure is evidence in itself of authenticity.
3. Any other export is more suseptable to alteration as the file needs to be closed or APIs need to be used to export.

Am I completely lost or within bounds on this one.

 
Posted : 13/06/2006 12:49 am
(@mindsmith)
Posts: 174
Estimable Member
 

Hi,

What about using the Save As feature in the Event log Viewer? This saves the current event log intact - with the current date & time - leaving less questions about changing offsets, etc.

Am sure this process can be automated via a batch script as well to run everyday - just before your scheduled backups.

Just a thought.

Regards.,

 
Posted : 14/06/2006 4:08 pm
(@gideon)
Posts: 2
New Member
Topic starter
 

It can be achieved, but all rely on api's, perl or vbscript interpreters of sorts.

With each interim step involved it could create a possible means for a good lawyer or forensic tech to shoot down the data adquisition procedures. For your court case you would need to explain the operation of each interpreter or api used as they are not part of the operating system. Just thinking of worst case scenarios.

Doing it with the event viewer to export manually is not an option with 87 file servers.

 
Posted : 14/06/2006 8:56 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"…it could create a possible means for a good lawyer or forensic tech to shoot down the data adquisition procedures."

The operative word there is "could", but only if you refuse to document what you do, and cannot explain it. Saying something like "the other lawyer could poke holes in it" is really nothing more than giving yourself an excuse to not do something. Sure, they "could"…but if you've done your homework, all of their work will be for naught, and embarassing for them, to boot.

Harlan

 
Posted : 14/06/2006 10:11 pm
Share: