4. Windows 7 Log Forensics

Windows 7 Log Forensics – Fact-Finding Significance

Log files register significant events on the Windows machine like time stamps of users' login, encounter of program errors, etc. These records play vital role in Windows 7 log forensics especially for collecting evidence related to malicious attacks.

Microsoft Windows 7 save the event logs in which help to trace the events recorded in Security, Application, DNS, System, etc. These events can be an important source for investigators to build the chain of custody for forensics analysis. Windows 7 create or archive event logs in EVTX files, which comprises of Level Property helping in analysis of severity of event. The components of this file like Source, Event ID, Severity Level, Category, Operational Code, Time Stamps, Processor ID, Session ID, Process ID, etc. can help in Windows 7 log forensics.

Importance of Windows 7 Event Log Forensics

Windows 7 log file forensics can be helpful because of various aspects. It helps to dig out the system events information, which ultimately helps to trace the chain of custody. Windows log files and event logs are considered as crucial sources of forensic data as they can be linked to particular event to specific point in time. However, there are some hurdles while performing Windows 7 log forensics:

  • Time Stamps in Meta data of files and folders of concern are not available.
  • Performing collating, sorting and correlating of time stamps for carving artifacts.
  • Investigation has to be done on bulk of event log files and records.
  • Collection of Windows log files has to be done on several systems.
  • Data is fragmented or partially overwritten and hence unrecoverable.
Windows 7 Event Log Forensics

Windows 7 Event Log Forensics Details

  • While conducting Windows 7 log forensics, Event Logs are store in System folder in a binary extensible markup language (XML) format.
  • Investigation has to be done on two types of Event Log files (.evtx) in winevt\Logs directory:
    • Windows Logs
    • Application and Services Logs
  • There are numerous .evtx files available in the system and hence sorting of these files is necessary prior investigation.
  • Application, Security and System event logs are available as appevent, secevent and sysevent.
  • Event IDs and the events associated with it differs in Windows version making analysis more difficult for different version.
  • Details in Setup and Forwarded Event Logs are important source for probing and analyzing.
  • By default in Windows 7, only Operational and Admin logs are visible amongst: Operational, Admin, Debug and Analytic.
The Acquire Forensics team is capable to perform a thorough investigation about all these records. Team is acquired of complete knowledge about the procedures involved in collection and extraction of Windows logs pertaining Windows 7 event log forensics. In order to avail the service,
Contact Us