I know I am pushing something up a hill here in suggesting this, but .Net coding in a Windows environment and general coding skills for Linux should be a goal for all Forensic Analysts to learn. These are essential skills. In fact, they make life far easier if you can write code and think creatively. It is also not difficult to learn how. The ACM and IEEE both offer members free CBT courses on this topic.
I have recently noticed a number of conversations around reading Windows Event logs. The difficulty in extracting events and the limitations of the commercial tools are frequently mentioned. The reality is that is is a simple task that has been incorporated into the .Net framework since version 1.0 first came out. Classes and libraries are available for this very task. There are also many developer sites that offer code examples and tutorials. For instance, the Microsoft Developer Network (MDSN) and others have a set of pages on this problem.
- http://msdn.microsoft.com/en-us/library/k6b9a7h8.aspx
and - http://msdn.microsoft.com/en-us/library/w3t54f67.aspx
and - http://quickstart.developerfusion.co.uk/quickstart/howto/doc/LogInfo.aspx
My preference is for the C family of code languages (C, C++, C#) being that I started as a programmer doing C coding in the 80's, but there are a large number of VB examples about (which is not my specialty). Both Visual .Net and the command line compiler (CSC) that exist on nearly all Windows hosts in the last 8 years or so support .Net and have a simple compiler.It is actually difficult to remove all compilers for a modern Windows system and have it continue to run...
Windows has a good implementation of the Regex class. Although these are rather abstract, they allow you to create extremely granular filters.
For a simple C# code example (this could be simplified using foreach statements etc);
//Source File : Event_Reader.cs //Compilation : csc Event_Reader.cs //Execution : Event_Reader using System; using System.Diagnostics; using System.Windows.Forms; using System.Drawing; public class Event_Reader: Form { Button b1 = new Button(); public Event_Reader() { this.Text = "Security Event Warning in log"; b1.Text = "Click here"; b1.Click += new EventHandler(b1_click); b1.Location = new Point(100,50); this.Controls.Add(b1); } public void b1_click(object sender, EventArgs e) { EventLog elog = new EventLog(); elog.Log = "Application"; elog.Source = "MSSQLServer"; for(int i = 0; i<5;i++) { try { MessageBox.Show("Message: " +elog.Entries[i].Message + "\n" + "App: " +elog.Entries[i].Source + "\n" + "Entry type: " +elog.Entries[i].EntryType); }catch{} }} public static void Main() {Application.Run(new Event_Reader())
You can search the various properties of the EventLog class and return an instance of EventLog.EventLogEntryCollection. This will define a number of EventLogEntry types. Each of these will correspond to selected relevant entries in the Event Log being analyzed.
In the example listed above, the elog.Log = "Application"; reference is to the Eventlog being searched. The Source, elog.Source = "MSSQLServer"; sets a filter for the type of entry.You can add events for UserName, TimeGenrated, TimeWritten etc by simply substituting these types in the code example (modified from code provided on MSDN)
The Code Project has a simple code base that can be used to quickly put a small fast eventlog filter together and which can be modified to include Regex based search terms.
So, my recommendation. Learn how to code, it is simpler than you think and it will make you a better digital forensic professional.
Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He starts his second doctorate, a PhD on the quantification of information system risk at CSU in April this year.