Monday, 9 June 2008

Finding Event Logs in unallocated

I blogged here about a case where the suspect had repeatedly re-installed his OS. The suspect is accused of creating a CD at a particular time prior to the installation of the current OS. Putting aspects relating directly to the CD (link files, volume serial number etc.) aside we needed to find evidence that the computer was or was not being used at the material time.

After reading Harlan Carvey's blog I liked the idea of recovering event logs from unallocated. After hunting around Harlan's and a few other blogs together with Steve Bunting's site I found and had a read of Rich Murphey's paper Automated Windows event log forensics. Following his advice we created a GREP

\x30\x00\x00\x00\x4c\x66\x4c\x65\x01\x00\x00\x00\x01\x00\x00\x00

and utilising the custom file finder in Encase carved out 512kb files from unallocated. The issue of corrupt event logs was considered as discussed on Steve Bunting's site and Rich Murphey's fixevt tool was run across all the carved evt files in the export folder to deal with this issue.

I had to decide which tool I could use to parse out the contents of these evt files. I would have liked to use one of Harlan's perl scripts or utilities but despite seeing references to them everywhere I could not lay my hands on them (guess I'll have to buy the book). I did try out Event Log Explorer and this program was very successful in parsing out many of the carved out evt files and displaying them in a functional GUI. I was impressed with the programs filtering tools and it's ability to save a project into a workspace.  When I first wrote this up I missed the obvious - you can also drag the carved out evt files back into Encase as single files and use the Windows Event Log Parser module part of the Case Processor Enscript to parse them.  It seems to create a separate worksheet for each evt.

3 comments:

Anonymous said...

A couple of nice open source *nix based tools for handling event logs that you could try:

Grokevt from:
http://projects.sentinelchicken.org/grokevt/

fccu.evtreader from:
http://sourceforge.net/projects/evtreader/

DC1743 said...

Hi,

I did try and parse a carved evt file with fccu.evtreader but I was not able to get it to do anything. It just hangs there with perl maxing out the CPU (on a Mac).

Keydet89 said...

if you needed some code or something you could've just asked... ;-)