±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36296
New Yesterday: 2 Visitors: 170

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Editing Windows Event Log and a big Thank you!

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Bunnysniper
Senior Member
 

Editing Windows Event Log and a big Thank you!

Post Posted: Dec 09, 17 21:01

I would like to mention:

blog.fox-it.com/2017/1...up-tracks/

This blog post describes the tool "eventlogedit", developed by the NSA and published by the Shadow Brokers group. AFAIK it describes the current most sophisticated tool to manipulate Windows Eventlogs. I`m quite sure we will see more successful manipulations of Eventlogs than ever. Before the release of eventlogedit it was nearly impossible to delete single Eventlogs entries and to maintain the integrity and hash verification of the file. But now it does not seem to be a problem.

Anyway, Fox IT released a tool to detect those manipulations at Github and i just want to say "Thank you". Thanks a lot to Fox IT, Harlan, Eric, Joakim and all other regulars here at ForensicFocus for releasing their tools to the public and making the life of an Incident Responder a lot easier. Thanks for that!

best regards,
Robin  
 
  

keydet89
Senior Member
 

Re: Editing Windows Event Log and a big Thank you!

Post Posted: Dec 10, 17 12:20

I and others tried using the tool this past spring after it was released, and could not get it to work...there was no discernible impact on the systems we tried. There were some who claimed that it worked, but were unable to thoroughly describe what they'd done, and unwilling to provide a target *.evtx file for examination.  
 
  

MDCR
Senior Member
 

Re: Editing Windows Event Log and a big Thank you!

Post Posted: Dec 10, 17 16:04

- keydet89
I and others tried using the tool this past spring after it was released, and could not get it to work...there was no discernible impact on the systems we tried. There were some who claimed that it worked, but were unable to thoroughly describe what they'd done, and unwilling to provide a target *.evtx file for examination.


Well, in that case they did get away with it.

IIRC, the tool "unlinks" an eventlog entry so it becomes part of the earlier record and the entry is seen as overflow data. The information is there, it just isn't its own eventlog entry anymore. That is probably why you didn't see it.

If you dump it all out as text, the data should be there, just not as it's own record. I haven't played with it myself since i do not trust the Eventlog service to keep the integrity of logs - just because of such tools.  
 
  

keydet89
Senior Member
 

Re: Editing Windows Event Log and a big Thank you!

Post Posted: Dec 11, 17 17:41

- MDCR

IIRC, the tool "unlinks" an eventlog entry so it becomes part of the earlier record and the entry is seen as overflow data. The information is there, it just isn't its own eventlog entry anymore. That is probably why you didn't see it.


I didn't see it because, as I mentioned in my case it didn't work...the tool failed to function.

In instances were folks claimed that it did work, they were unable/unwilling to provide any proof...not even screencaps of the event log, before and after, via MMC.  
 

Page 1 of 1