Which artefact to t...
 
Notifications
Clear all

Which artefact to trust?

9 Posts
6 Users
0 Likes
602 Views
(@imsdal)
Posts: 17
Active Member
Topic starter
 

I am running Magnet Axiom. According to the tab user accounts, the last time the user logged in was 1650. However when looking at the Windows event log, there are a bunch of 4624 events. These occur at 1845 and 1935. This event id would indicate a successful login.

Why do they differ? What are your thoughts?

 
Posted : 08/06/2018 7:28 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

UTC?

Logs usually are off by 2 hours in our time zone when they are not converted properly to/from UTC. It is important to know what date is logged in a product, when i write software to generate logs from a custom source, i put a timestamp from systemtime in with the logs on start up so i can easily correlate.

 
Posted : 08/06/2018 7:44 am
(@imsdal)
Posts: 17
Active Member
Topic starter
 

UTC?

Logs usually are off by 2 hours in our time zone when they are not converted properly to/from UTC. It is important to know what date is logged in a product, when i write software to generate logs from a custom source, i put a timestamp from systemtime in with the logs on start up so i can easily correlate.

All the timestamps are shown in UTC+2 to reflect summertime. Still there is a huge discrepancy.

 
Posted : 08/06/2018 9:49 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Was the machine cleanly shutdown?

Consider that registry hives exist typically in memory while the machine is running and only periodically get cached out to disc. Therefore it is possible that the data was lost/is present in a hive log file/some other outcome.

Indeed, even if it was shutdown properly, the data may still be present in a log file as it may not have been committed to disc yet.

Therefore the event logs may indeed be correct - check in the same folder as the hive for the presence of a file with the same name, but with something like .log1 or .log2 appended onto it.

Anything?

 
Posted : 08/06/2018 10:07 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Therefore the event logs may indeed be correct - check in the same folder as the hive for the presence of a file with the same name, but with something like .log1 or .log2 appended onto it.

Uh-oh.

 
Posted : 08/06/2018 10:11 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Therefore the event logs may indeed be correct - check in the same folder as the hive for the presence of a file with the same name, but with something like .log1 or .log2 appended onto it.

Uh-oh.

Care to elaborate?

 
Posted : 08/06/2018 10:12 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What are your thoughts?

Do you know how the tool is making it's determination? What data is the tool using? If it's using something other than the events in the Security Event Log, then that would explain it.

I'd suggesting checking with the vendor to see how the determination is being made. If you know a little bit more about how the too you're using works, you'll be in a better position to understand things like this.

HTH

 
Posted : 08/06/2018 10:13 am
(@mcman)
Posts: 189
Estimable Member
 

Do you know how the tool is making it's determination?

The source is listed directly under the data for each artifact.

Most user account data is from the Registry including last shutdown time.

The event logs source are obviously from the event logs, we'll give you both. It's up to the examiner to determine what data is valuable for their investigation.

Jamie
Magnet Forensics

 
Posted : 08/06/2018 1:26 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

Do you know how the tool is making it's determination? What data is the tool using? If it's using something other than the events in the Security Event Log, then that would explain it.

A good rule of thumb also is if one tool shows data one way… perhaps use another tool to see if it shows the same information. Different forensic tools parse data differently and sometimes grabs other data with it. So what you see may or may not be the full picture.

 
Posted : 08/06/2018 1:30 pm
Share: