By Bobby R. Williams Jr. on 11/10/20 7:00 AM
Investigators don’t start with answers. We ask questions. Our mission (should we choose to accept it) is to determine what happened and when. There may be a valuable gem hidden in your data, but we won’t know until we start digging. In the expanding digital universe, there are artifacts all around us. Knowing what they are and how to parse them is key to uncovering the narrative within the data. If you need to construct a timeline of events, the Event logs on Windows workstations and servers are a great place to start.
Event logs track many useful actions. Events such as logons, log offs and machine power are just a few examples. If you are responding to an incident, event logs will likely be a vital source of information. To ensure that information is there when you need it, you need to ensure that logs are archived. Sounds simple right?
There are configuration settings you control that help determine how far back your logs may go. If you simply use the default settings, the size may be too small to save the key event logs. It’s also helpful to know which logs track which events. This can help you decide where to make changes to your log archiving protocol.
Why is this significant?
Much like middle children, event logs are often an afterthought. Organizations focus a lot on preventive security measures, like access points, authentication and encryption. This is important. You want to be proactive. In digital forensics and cyber security investigations, you need to reconstruct what happened. Who had access? When? Event logs can hold the answers, whether determining the activities of a departed employee, responding to an incident or defending an active intrusion. If you are not intentional about how logs are managed, you may be letting the answers to future questions slip through your … hard drives.
What’s my takeaway?
- Understand that there may not be a single main event in your investigation. The answers often lie in correlating a series of events. A qualified expert can help you understand event log entries and get closer to what happened. In order to do this, you need to make sure event logs are being archived with an intentional protocol.
- Expanding the size of key log files can help you retain more data. New events can push old events out once you reach max log size. Fortunately, machine storage has become relatively inexpensive and generating logs will not hog your resources. So, increase the size of important Event Logs from 20 MB to a few GB. I say increase the size of all logs whenever possible. If size and storage space is still a concern, choose key logs for expanded size. My colleague Jonathan Karchmer recommends Security.evtx as an example of where to focus.
- If your organization is not already doing so, consider using SIEM technology to aggregate and examine Event Logs. At a minimum, start by forwarding Event Logs from critical workstations, and backing up machine and server Event Logs to another repository. Redundancy helps secure against data loss. When events age out on your computers and servers, the backup location could contain years of activity that would have been lost otherwise. For organizations with more advanced security postures, utilizing and tuning SIEM will help in proactive “hunting” for bad guys. A qualified expert may be able to start triage simply by collecting a copy of your archived event logs, which could then help target an investigation and save you money.
These simple steps can help get your organization closer to being ready for the main event.