Log Forensics and “Original” Events

Sunday, April 03, 2011

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

I did this fun presentation on log forensics (here) and the question of “original” (aka “native”, “raw”, “unmodified”) log events came up again.

Since the early days of my involvement in SIEM and log management, this question generated a lot of delusions and just sheer idiocy.

A lot of people spout stuff like “you need original logs in court” without having any knowledge about either logs or court – or forensics in general. Or, as I sometimes feel, even computers in general. 

So, WTH is an “original” event? Let’s explore this a bit. 

For example, let’s take Windows 7 Event Logs. Before you read further, without focusing too much on the real meaning of “original”, think what you’d consider an original event log record …

Is this original – the EVTX file itself:

image

Is this – an XML view via Event Viewer on the computer where the log is produced:

image

Is this – a “friendly” view in the same Event Viewer on the same “original” computer:

image

As you might know, the above view is actually enriched i.e. has new information added compared to the EVTX file. Does it break the originality?

What if the EVTX file is copied to another computer and then opened in an Event Viewer? It might look a bit different due to various ID de-reference operation, and it might enrich the contents with slightly different information.

How about this – exported to CSV at another computer. Is this still original?

image

And what about the one that is converted to syslog in a similar fashion? What if, or horror, TABs are replaces with spaces? 

So, what’s the lesson here?  Obsession about “original”, “native”, raw” logs is just not a useful pursuit and it dead-ends pretty quickly.

Instead, you need a clearly understood and documented path of all event records that unambiguously tracks all changes to event records (removals, addition of details, modifications of contents, new headers, etc), not fake and impossible quest for “originality.”

For additional reference on trusting logs, check out what Eric Fitzerald wrote about log trust back in the days of his ownership of the Event Log.

Cross-posted from Security Warrior

Possibly Related Articles:
12039
General
Information Security
Forensics Log Management SIEM Event Logging EVTX
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.