Thursday, July 07, 2005

Event Log file format

As a follow-up to my earlier post on the EventLogRecord structure, I wanted to mention that after no small effort, and with some assistance from someone involved with PyFlag, I was able to figure out the format of Event Log files.

Okay, that this point, you're probably thinking...so what? Well, consider this..you're analyzing a Windows system, but you're on Linux. Or you have a corrupted Event Log file, and the Event Viewer (and even psloglist.exe) can't open it. Or you're looking for event records in slack space. In any one of these instances, knowing the structure of the Event Log file would be very helpful. I've drafted a paper, and I need to see about getting it through my employee for public release. If that doesn't work, or it gets stalled, I'll see about releasing the information via another (albiet acceptable) means.

So why am I telling you this, only to say, "I can't release it yet?" Well, my thought was that if anyone has a pressing need to know something about the Event Log file format now (and I mean right now), send me an email and I'll see what I can do to answer your question(s). Otherwise, hang tight and I'll see about getting the information out.

The other reason I'm posting this is to ask about forums/magazines suitable for posting this sort of information. I've been working on articles for the Digital Investigation Journal, but it does take a while for the article to be available to the public. If there's a forum similar to the DIJ, but quicker...let me know.

Addendum: I wanted to add a couple of comments with regards to my effort in this project. First off, since I started this project, a tool called GrokEVT was released. A post hit the SF Forensics list, and I initially caught wind of it there, and since I'd posted asking about this subject, I got a couple of emails from folks pointing it out. There are also some other materials out there, but I can't provide links, b/c right now the links seem to be broken.

Anyway...GrokEVT looks like an excellent tool. It seems to do pretty much everything; extract the event records from the file, search the Registry for message files, then extract the message strings from the file. However, the documentation does state that some of these functions are "unstable". Well...it's a good start.

The one thing that the package doesn't seem to do is explain the format of the Event Log file itself. Yes, I've only looked at a small piece of the puzzle, and no, my solution isn't as comprehensive as GrokEVT or PyFlag. However, the little bit that I've done does provide the forensic analyst with the necessary information to locate event records in slack space, and extract and interpret those records. What I've also done is create a Perl script that uses several functions to retrieve event records from a file. These functions can be used to retrieve records from a corrupted or partially deleted Event Log file.

Knowledge of the Event Log file format is also useful in understanding and detecting anti-forensics techniques involving the Event Log.

My hope is that someone finds this information useful.

5 comments:

Richard Bejtlich said...

Harlan, have you seen GrokEVT?

Keydet89 said...

Richard,

Yes, I did see that...it was announced just as I was finishing up my research. By that time, though, I'd gotten to the point were I had to finish...call it OCD, call it an addiction... ;-)

SAL said...

Im in support of Harlan's work as more than once I've come across a corrupt EVT file for which Microsoft's KB response for users (on a live system) is to delete the corrupt EVT file and start anew...not really an option when forensically reviewing data ;)

SAL said...

Actually, I just saw this "FCCU evtreader.pl" tool, which might be of interest, though I havent tested it yet nor am I strong in French?

I found it at http://www.d-fence.be/

Keydet89 said...

SAL,

Thanks for the comments.

I read through the French stuff you found...no, I don't understand French, but I do understand Perl...and I don't see anything in the file that deals with corrupt files. It looks like it looks for the header, and simply reads in and parses the necessary bytes.

I'm thinking about submitting my document for public release, but through my own web site, if necessary.