10.5 Log Files


10.5 Log Files

Attribution is a major goal and log files can record which account was used to access a system at a given time. User accounts allow two forms of access to computers: interactive login and access to shared resources. Both forms of access can significantly expand the pool of suspects in an investigation. If illegal materials are found on a computer, individuals with legitimate access to the computer are the obvious suspects. However, there is the possibility that someone gained unauthorized access to the computer and stored illegal materials on the disk. Similarly, if secret information is stolen from a computer system or a computer is used to commit a crime, it is possible that someone gained unauthorized access to the computer.

Windows NT/2000/XP store log files in the "%systemroot%\system32\ config\" directory (most commonly "c:\winnt\system32\config\") (Table 10.1).

Table 10.1: Windows NT Event Logs.

FILE

DESCRIPTION

Appevent.evt

Contains a log of application usage

Secevent.evt

Records activities that have security implications such as logins

Sysevent.evt

Notes system events such as shutdowns

System log files can contain the information about user accounts that were used to commit a crime and can show that a user account might have been stolen. The Application and System event logs also contain information about user activities on a system. Additionally, NT Event Logs can be correlated with file system traces to determine what occurred while a given account was logged in. Unfortunately, Windows 95/98 do not have logs of this kind and, on Windows NT, most logging options are disabled by default, so if a system was not configured to keep more detailed logs prior to an incident, much of the information that could have been gathered will be lost.

Since it is usually desirable to search and sort log files during an investigation, the type of graphical user interface to log files can be a hindrance. Several utilities exist that will process log files from Windows NT and 2000. The most basic utility is dumpel from the Windows NT and Windows 2000 Resource Kits. Be aware that it is often necessary to extract Event Message Files from a system to obtain complete and accurate information from the event logs on that system. A detailed procedure for examining NT event logs is provided in the Handbook of Computer Crime Investigation, Chapter 9 (Casey et al. 2002, pp. 225–228).




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net