dr. rich murphey, acs con 15/def con 15 presentations/def con 15... · xevent log analysis...

1

Vista Log ForensicsDr. Rich Murphey, ACS

BackgroundCase Study

EngagementPreliminary ReportFinal Report

Vista Event LoggingLogging ServiceVista Event EncodingUndocumented Internals

Event Log AnalysisRecoveryCorrelationInterpretation

Shadow Copy Services

Provider CProvider CProvider BProvider B

Provider AProvider A

ControllerController

Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers

Session 2 Session 64

Events

EventsEnable/Disable Session Control

ConsumerConsumer

Windows Kernel

Repair

Correlate

Recover

2

Acknowledgements

Shouts out to:MD5, CaesarHTAFednaughtyDT

Thanks to:Jerlyn Mardis, ACSJosh Pennell, IO Active Matthew Geiger, CERT

Dedicated to: BitMonk (HTA/Ad Hoc)

3

Special Thanks To

Sponsor:

ForensicsIn-depth Analysis, Expert Witness

Data RecoveryComplex RAID, Exotic File Systems

ConsultingInformation Security This is not:

Legal AdviceSuitable for testimony

4

Rich MurpheyExperience:Rice University

Ph.D. Electrical and Computer Engineering

UTMB Med. SchoolFaculty, Physiology & Biophysics

Pentasafe SecurityChief Scientist

Applied Cognitive Soln.Chief ScientistExpert WitnessCISSP, ACE, EnCE

An Author of:

GNU GraphicsAsterisk VOIP

See “Authors”

FreeBSDFounding Core Team

XFree86man xorg | grep Rich

5

For More Info

C. R. Murphey, “Automated Windows Event Log Forensics,” Digital Investigation, August 2007

A peer-reviewed paper on anew tool for automating XPlog recovery and analysis

Digital Forensic Research Workshop, 8/13/07HTCIA National 8/27/07

6

Roadmap


EngagementPreliminary ResultsRevised Scope

Vista Event LoggingEventsLogging ServiceUndocumented Internals

Event Log AnalysisRecoveryCorrelationReport





Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows Kernel

Repair

Correlate

Recover

7

Case Study Steps

Step 1: Define Preliminary ScopeDefine feasibility of the engagement.

Step 2: Preliminary ReportUncover and mitigate surprises.Define capability to answer questions.

Step 3: Final ReportIn-depth coverage.Adapt methods to answer questions.

8

1st Hurdle: Define a Scope

Officer/Director callsSomething bad happened….Possible contract violation.Outgoing transfer of proprietary documents.

#1: Define a scope of work.Can we identify file transfer?Examine hard drivesEmail attachmentsFile transfer, uploadsAnything else?

9

2nd Hurdle: Preliminary ReportGood news:

We know what to look for.Well defined keywords, file names

#2: Preliminary ReportD:\OfInterest.doc

In unallocated space….Bad News:

IT deleted the user profile, and gave laptop to a new employee,six months ago,after they reformatted and reinstalled Windows Vista.

10

Shortcuts

Shortcuts may contain IDs, label, sizeA snapshot of file’s attributes, media’s attributes

Shortcut File

Read-onlyFile attributes

N/ALast access time (UTC)11/3/2006 10:12:34 AMLast write time (UTC)11/11/2006 3:21:14 PMCreation time (UTC)1643743File sizeE2C3-F184Volume Serial NumberNov 11 2006Volume LabelCD-ROMVolume TypeD:\OfInterest.docLocal Path

Link target information

11

3rd Hurdle: Final Report

How to identify outgoing file transfer?

Data carve for file path, time….

Where to find time stamps?Event logsInternet historyShortcutsAny where else?

12

Roadmap









Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows Kernel

Repair

Correlate

Recover

13

Shortcuts


Shortcut File




14

Event Logging

Windows Vista/2008Time, SID, Source, Severity, MessageMore than 50 logs by default.

C:/Windows/system32/winevt/Logs/Application.evtxHardwareEvents.evtxInternet Explorer.evtxSecurity.evtxSetup.evtxSystem.evtx…. 50 more!

15

hardware interfaces (buses, I/O devices, interrupts, interval timers, DMA, memory cache control, etc., etc.)

System Service Dispatcher

Task ManagerExplorer

SvcHost.ExeWinMgt.Exe

SpoolSv.Exe

ServiceControl Mgr.LSASS

Object

Mgr.

WindowsUSER,

GDIFileSystemC

ache

I/O Mgr

Environment Subsystems

UserUserApplicationApplication

Subsystem DLLs

OS/2

System Processes Services Applications

SystemThreads

UserMode

KernelMode

Windows

NTDLL.DLL

Device &File Sys.Drivers

WinLogon

Session Manager

Services.Exe

POSIX

Plug andPlay M

gr.

Power

Mgr.

SecurityR

eferenceM

onitor

VirtualM

emory

Processes&

Threads

LocalProcedure

Call Graphics

Drivers

KernelHardware Abstraction Layer (HAL)

(kernel mode callable interfaces)

Component Architecture

Configura-tion M

gr(registry)

PDC 06

Events

Backward Compatibility Occurs Here

16

Backward Compatibility

Backward Compatibility?

17

Vista Event Logging5% CPU for 20K events/sec, 200K w/TransactionsLogging and WMI are now just layers on top of ETW Unified: kernel/app, tracing/logging, remote/local



Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows Kernel

PDC 06

18

Vista Logging Service High performance tracing

Event Tracing for Windows (ETW)Events from both apps and kernel

Events are forwarded to a Collector Serviceand stored in local log for consumption

Buffered in kernelDynamically enable/disableNo reboot or restart

Selected events are delivered as they arriveChoose either push or pull subscription

Provider CProvider C

Provider BProvider B



Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows Kernel

19

Vista EventsEvents are XML!

Standards encodingSystem: standard propertiesEventData: app. defined

Get events via:Query live logs & log filesSubscribe to live logsFilter using XPath

Internals:New, different encodingArbitrary structure defined by each application

<Event><System>

<Provider Name="CD Burning Service" /><EventID>310</EventID><Level>2</Level> <Version>0</Version><TimeCreated SystemTime="2006-02-

28T21:51:44.754Z" /><EventRecordID>7664</EventRecordID><Channel>Application</Channel> <Computer>Desktop9237</Computer> <Security UserID="S-1-...-1003" />

</System><EventData>

<data name=“control”>Service Started.

</data></EventData>

</Event>

PDC 06Events are encoded not as XML, but rather BXML!

20

Vista Events

<Event><System>

<Provider Name="CD Burning Service" /><EventID>310</EventID><Level>2</Level> <Version>0</Version><TimeCreated SystemTime="2006-02-

28T21:51:44.754Z" /><EventRecordID>7664</EventRecordID><Channel>Application</Channel> <Computer>Desktop9237</Computer> <Security UserID="S-1-...-1003" />

</System><EventData>

<data name=“control”>Service Started.

</data></EventData>

</Event>

PDC 06

Record Header

Section Descriptor

Section Header

Section Body

Section Header

Section Body

Section Header

Section Body

Section Descriptor

Section Descriptor

On the outside On the inside

21

Undocumented Event StructureRecord header

Common attributesTimestamp, severityNumber of sections

Section descriptorsSourceOffset, length

Section headersSpecifies encoding of body

Section bodyevent specific data

Record Header

Section Descriptor

Section Header

Section Body

Section Header

Section Body

Section Header

Section Body

Section Descriptor

Section Descriptor

22

Binary XMLBXML (Binary eXtensible Markup Lang.)

A binary serialization of an XML document.developed by CubeWerx for OpenGIS Consortium.Higher performance in both space and time.

More compact.String table for tags and values.Gzip whole doc or just body.Avoids resource exhaustion of DOM.

10 to 100 times faster to parse.100 times faster for dense numeric data due to binary encoding of numbers alone.

http://www.cubewerx.com

23

What is BXML?Serialized numbers begins a one byte code that identifies the data type.

byte enum ValueType {BoolCode = 0xF0, // boolean valueByteCode = 0xF1, // 'byte' numeric valueIntCode = 0xF4, // 'int' numeric value

}

IntNum { // 32-bit integer valueValueType type = IntCode;int num; // value

}http://www.cubewerx.com

24

What is BXML?XML tags are serialized as a byte code for the type of tag, followed by a reference to the tag name in the string table.

ContentElementToken { // <element>TokenType type = ContentElementCode; Count stringRef; // index of

element name}

ElementEndToken { // </element>TokenType type = ElementEndCode;

}http://www.cubewerx.com

25

What is BXML?Strings are preceeded by their length.String tables are preceeded by type code and table size.

String { // raw character stringCount byteLength; // length in bytesbyte chars[byteLength]; // characters in proper encoding

}

StringTableToken { // string table (fragment)TokenType type = StringTableCode;Count nStrings; // number of stringsString strings[nStrings]; // values

}

26

Why the changes?

Performance, scalability, and securityNew event publishing API

Schematized, discoverable, structured eventsUnified API

logging uses tracing framework

Logging is asynchronous Does not block the application

Log size limit removed limited only by disk space

Record Header

Section Descriptor

Section Header

Section Body

Section Header

Section Body

Section Header

Section Body

Section Descriptor

Section Descriptor

27

Vista EventsXML events have rich information

XP Events have flat structure, no parameter namesFiltering and Subscriptions – XPath

Event[System/EventID=101]

Select events - filter out noise<QueryList>

<Query><Select>Event[System/Provider=Foo]</Select><Suppress>Event[System/Level>2]</Suppress>

</Query></QueryList>

Filter across live logs, files, Vista, and XPSubscribe to a custom view of events centrallyIntegrates with existing tools

Triggering ActionsAssociate a task with an event with a single click

28

Vista Log Signature

Vista Log Signature4K Header starts with “ElfFile”

Each 64K block starts with “ElfChnk”

Size: 1024 + 4 = 1028 K bytes

29

Registering a Provider

Providers are sources of the eventsIdentified by unique GUID and nameSpecifies the location of resources for decoding<provider name="Microsoft-Windows-Demonstration"

guid="{12345678-d6ef-4962-83d5-123456789012}“

resourceFileName="wevtsvc.dll"

messageFileName="wevtsvcMessages.dll"

parameterFileName="wevtsvcParameter.dll"

>

PDC 06

30PDC 06

Channel Definition

System-defined channels are imported (System channel above)New provider-specific channels can be defined and configured<importChannel chid="C1" name="System" /><channel chid="C2" name="Microsoft-Windows-Demonstration/Operational“

type="Operational" isolation="System"><logging>

<autoBackup>true</autoBackup><maxSize>268435456</maxSize>

</logging><publishing>

<level>2</level><keywords>1</keywords>

</publishing></channel>

31PDC 06

Template Definition

Templates define the payload shape of eventsData elements define fields of eventsCan add user-defined XML representation for the payload<templates>

<template tid="tid_HelloWorld">

<data name="Greeting" inType="win:UnicodeString" outType="xs:string" />

</template>

</templates>

32PDC 06

EventManifest defines event attributes: ID (value), version, keywords, task, opcode, and levelReferences previously declared template that defines instance dataMessage - a user readable stringChannel - the name of the channel that transports the event to logs

<event value="101" version="1" level="win:Error" symbol=“MyEventDescriptor”keywords="el:Availability“task="el:EventProcessing"template=“tid_HelloWorld" channel=“C1"message="$(string.HelloWorld.Message)"

/>

33

Logging Interface

How to log an event:

At compile timeWrite a schemaCompile schema

At run timeRegister sourceCreate a sessionSend events

Publishing API

Publisher

PublishedEvents

session

Event publishing application

User modeKernel mode

Logs

EventSchema

Schemacompiler

Kernel Component

SessionsPublishingAPI

PublishedEvents

PDC 06

34

Roadmap









Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows Kernel

Repair

Correlate

Recover

35

“Cutting-Edge Forensics”

“Conduct Cutting-Edge Forensic Investigations”

– back cover

On Event Log Repair:“We found no methods that were complete, and none explained the underlying principles for why the repair was needed.” – pg. 444

Available April 2, 2007

36

For More Info


A peer-reviewed paper on anew tool for automating XPlog recovery and analysis

Digital Forensic Research Workshop, 8/13/07HTCIA National 8/27/07

37

Log Analysis Roadmap

Forensic Process ModelsRepair

Correlate

Recover

Extract

Analyze

Interpret

38

Log Analysis Roadmap

Forensic Process ModelsRepair

Correlate

Recover

Extract:Step 1 – Recover

•Data Carve for Logs, etc.

Step 2 – Validate•Identify intact log files.

Step 3 – Correlate•Corresponding time, files, names,…

Analyze

Interpret

39

Using DataLifter:

40

XP log signature – 16 bytes30 00 00 00 4c 66 4c 65 01 00 00 00 01 00 00 00

Vista log signature – 16 bytes“ElfFile” padded with nulls

Signatures

41

Step 1 – Recover

The Results:

Step 1 – RecoverRun DataLifter

100 logs are recovered.Only two are viewable.98 corrupt logs

Step 2Validate 98 logs?

42

Vista Event Viewer

New: Views, Filters

43

Correlate

SQL queries to identify patterns

<QueryList>

<Query>

<Select Path=“System”>

*[System/Provider=“CD Burning Service”]</Select>

</Query>

</QueryList>

Repair

Correlate

Recover

The CD Burning service entered the running state. 11/11/2006 15:21

MessageTime (UTC)

The CD Burning service entered the running state. 11/11/2006 15:26The CD Burning service entered the running state. 11/11/2006 15:25The CD Burning service entered the running state. 11/11/2006 15:24The CD Burning service entered the running state. 11/11/2006 15:23The CD Burning service entered the running state. 11/11/2006 15:22

The CD Burning service entered the stopped state. 11/11/2006 15:27The CD Burning service entered the running state. 11/11/2006 15:27

The CD Burning service was successfully sent a start control. 11/11/2006 15:21

44

Shortcuts


Shortcut File




45

Report

Correlations indicateA CD-ROM was burned

By username: BobAt: 11/11/2006 3:21 PM UTC

We can uniquely identify the CDLabel: “Nov 11 2006”Volume serial number: E2C3-F184

Proprietary documents were transferred.OfInterest.doc, 1.6MbLast Modified 11/3/2006 10:12:34 AM UTC

Repair

Correlate

Recover

46

Shortcuts


Shortcut File




47

Timestamp Analysis

Last write time is earlier than created.

Can indicate the time at which a file was transferred from source media.Can help identify the source file on source

media.

11/3/2006 10:12:34 AMLast write11/11/2006 3:21:14 PMCreated




48

Roadmap









Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows Kernel

Repair

Correlate

Recover

49

"Shadow Copy tracks your every change."

Automatic point-in-time copies.

Incremental block level differences minimize space.

Deletes older copies as needed for space (LRU). X

50

Legal Concerns Related to Vista

Revised Federal Rules of Civil Procedure

Scope of ProductionHistorical snapshots are readily available in Vista

Duty to PreserveLitigation Hold NoticesPotential for Sanctions

Form of ProductionNative files?Metadata?Point-in-time Image Snapshots?

51

Impact on Policy Maintenance

May Complicate Corporate Policy Issues

Document retention policiesComplicates policy maintenanceDisabling shadow copies in turn breaks backups, restore engine

Metadata retention policyOwnership changes are visible nowGaps in documentation policy for Vista

52

Impact of Vista on ForensicsFRCP: The rules have changed.Vista, in turn, changes the rules.

What happens if one accepts the default system behavior?

Things may never go away permanently.Vista leaves far more information than XP

Changes in ownership (SID)

Executives dislike surprisesRisks regarding SOX compliance and litigation.

53

How Shadow Copy Works

Acts like block deviceA layer between the device and file system

Snapshot as of Wed. 7:00Snapshot as of Wed. 10:00Snapshot as of Wed. 13:00Snapshot as of Wed. 15:00Snapshot as of Wed. 19:00

File System

Volume Shadow Copy (VSS)Service

Block Device (disk)

Blocks

Blocks

Current File System

54

Application writesdata to disk

Shadow Copies

Disk Before

Stevenson, WinHec 06

Upon write, overwritten block moves to shadow copy

shadow copy holds onlyblocks that changed.

Disk After

Shadow Before

Shadow After

55

Enabling Shadow Copies

56

Enabling Shadow Copies

64Stevenson, WinHec 06

66

Windows RE Auto-Repair

ComputerBluescreens Reboot

>5attempts?

Auto-launchStartup Repair

Boot managerdetects failure

Fail over intoWindows RE

Diagnose and repaircomputer

Reboot

Successful boot?Windows Vistastarts

Cannot auto-repair(try manual)

YesYes

NoNo

NoNo

YesYes

Stevenson, WinHec 06

68

Tools - VSSAdmin

C:\>vssadmin /?vssadmin 1.1 - Volume Shadow Copy Service administrative command-

line tool(C) Copyright 2001 Microsoft Corp.

---- Commands Supported ----

Add ShadowStorage - Add a new volume shadow copy storage association

Create Shadow - Create a new volume shadow copyDelete Shadows - Delete volume shadow copiesDelete ShadowStorage - Delete volume shadow copy storage associationsList Providers - List registered volume shadow copy providersList Shadows - List existing volume shadow copiesList ShadowStorage - List volume shadow copy storage associationsList Volumes - List volumes eligible for shadow copiesList Writers - List subscribed volume shadow copy writersResize ShadowStorage - Resize a volume shadow copy storage

association

69

Resource Kit – VolRestC:\Resource Kit>volrestVOLREST 1.1 - Timewarp Previous Version command-line tool(C) Copyright 2003 Microsoft Corp.

Usage: VOLREST [options] FileName

Options are:/? - Displays this help./A - Includes files with specified attributes.

/AD Directories (only)./AS System files./AH Hidden files.

/B - Uses bare format (no heading information or summary)./S - Includes files in specified directory and all subdirectories./R:<DirectoryName> -

Restore all previous versions in target directory./E - Restores empty directories (use with /R)./SCT - Decorates restored file names with the shadow copy timestamp.

Use with /R. For example:"foo (Wednesday, January 01, 2003, 14.00.00).doc"

Examples:VOLREST Z:\MYDIRECTORY\MYFILE.DOCVOLREST //server\share\MYDIRECTORY\*.DOCVOLREST Z:\*.* /s /r:C:\OLDFILESVOLREST Z:\*.DOC /s /r:C:\OLDFILES /SCT

70

[email protected]://murphey.orghttp://acsworldwide.com

Provider CProvider C

Provider BProvider B



Log filesLog files


…

ConsumerConsumer

Real time delivery

Logged Events

Session 1

Buffers


Events


ConsumerConsumer

Windows KernelRepair

Correlate

Recover

71

For More Info


Digital Forensic Research Workshop, 8/13/07GMU Forensics SymposiumHTCIA National 8/27/07

dr. rich murphey, acs con 15/def con 15 presentations/def con 15... · xevent log analysis...

Documents