Scribd
Upload
124 views13 pages

Windows Event Log Forensics Guide

This document describes a Python program that uses the win32evtlog module to read and display the three main Windows event log files: the application log, security log, and system log. These logs record important system events and errors that can help forensic investigators track unauthorized access and determine the cause of issues. The program outputs sample entries from each log type. Maintaining accurate event logs is important for digital forensics and incident response.

Uploaded by

yolo yolo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
124 views13 pages

Windows Event Log Forensics Guide

This document describes a Python program that uses the win32evtlog module to read and display the three main Windows event log files: the application log, security log, and system log. These logs record important system events and errors that can help forensic investigators track unauthorized access and determine the cause of issues. The program outputs sample entries from each log type. Maintaining accurate event logs is important for digital forensics and incident response.

Uploaded by

yolo yolo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CYBER FORENSICS MTE PROJECT

Windows Event
Log Viewer
Akaash Nidhiss 2K19/IT/008
Anasuya Mithra 2K19/IT/018
Index
Introduction
Windoes System Log Files
Application Log File
System Log File
Security Log File
win32evtlog
Code
Output
Conclusion
Introduction
The rapid speed by which technology has grown has
also increased the spate of cybercrimes. Windows
operating system is the most widely used OS, resulting
in its users being on the receiving end of these
cybercrimes. Such crimes brought about the need for
cyber forensics.

Evidence collection is a major part of the field of cyber


forensics. Because the log files link certain occurrences
to a specific point in time, the Windows event log is the
most essential source of evidence during a digital
forensic investigation of a Windows system.
Windows Event Log Files
The Windows event log is a complete record of system, security, and application notifications kept by the

Windows operating system and utilised by administrators to diagnose system issues and anomalies, and

predict future problems.

Each event log entry has the following elements -


Date: Date of occurrence of the event
Time: Time of occurrence of the event
User: Username of the user logged onto the machine when the event occurred.
Computer: Name of the computer.
Event ID: A Windows identification number that specifies the event type.
Source: The program or component that caused the event.
Type: The type of event, including information, warning, error, security success audit or security failure

audit.

There are 3 types of windows event log files, classified by the type of information it contains - Application

Log, System Log and Security Log.


Application Log

File
TYPES OF WINDOWS EVENT LOG FILES

The Application log contains events logged by applications or programs.

Some applications, such as Internet

When any application crashes, the

Explorer, Power Shell create own

Windows event log records the

event log instead of using Windows


Commercial software, such as SQL

problem, the application name, and

application event log. Such logs look


Server or Exchange, or homegrown

the reason for the crash.


exactly like standard Windows event
applications are both visible on the

logs and Event Viewer (as well as


application log file.
Application logs are frequently used

Event Log Explorer) can read these

by app support teams.


event logs.
Security Log File
TYPES OF WINDOWS EVENT LOG FILES

The Security log contains events such as valid and invalid logon attempts, as well as events

related to resource use, such as creating, opening, or deleting files or other objects.

If you enable logon auditing, for


Administrators choose which events

example, all attempts to log on to


to report in their security log based

the system are recorded in the


on their audit policy.
security log.
System and security administrators,

The typical events stored include

as well as forensic examiners,

login attempts and resource access.


require security logs.
System Log File
TYPES OF WINDOWS EVENT LOG FILES

The System log contains events logged by Windows

system components.

The system log, for example, records the failure of

a driver or other system component to load during

startup.
System administrators and technicians require

system logs.
win32evtlog
win32evtlog is a python module that encapsulates the Windows

Win32 Event Log API.

The protocol for writing an instrumentation manifest is defined by the

Windows Event Log API. Each event provider and the events it logs are

identified by an instrumentation manifest. An event consumer, such as

the win32evtlog, utilises the API to read and render the events.

Our Program uses this module in python to read and display Application, System and

Security Log files.


CODE
Output
APPLICATION LOG FILE
Output
SECURITY LOG FILE
Output
SYSTEM LOG FILE
Conclusion
Windows Event Logs are critical from a Digital Forensic standpoint

because they record every event that occurs in the Operating System.
When an unauthenticated user gains access to a system, it takes

various steps and procedures to gain access. These steps can be

utilised to track down the offender. The incident response team is in

charge of gathering important artefacts for future investigation.

Event logs are kept in the system root directory as offline physical

files. These files can be manually retrieved or obtained using other

utility software, such as the Python Program we have implemented.

You might also like