Tuesday, March 22, 2011

Log Forensics and “Original” Events

I did this fun presentation on log forensics (here) and the question of “original” (aka “native”, “raw”, “unmodified”) log events came up again. Since the early days of my involvement in SIEM and log management, this question generated a lot of delusions and just sheer idiocy. A lot of people spout stuff like “you need original logs in court” without having any knowledge about either logs or court – or forensics in general. Or, as I sometimes feel, even computers in general. 

So, WTH is an “original” event? Let’s explore this a bit. 

For example, let’s take Windows 7 Event Logs. Before you read further, without focusing too much on the real meaning of “original”, think what you’d consider an original event log record …

Is this original – the EVTX file itself:


Is this – an XML view via Event Viewer on the computer where the log is produced:


Is this – a “friendly” view in the same Event Viewer on the same “original” computer:


As you might know, the above view is actually enriched i.e. has new information added compared to the EVTX file. Does it break the originality?
What if the EVTX file is copied to another computer and then opened in an Event Viewer? It might look a bit different due to various ID dereference operation, and it might enrich the contents with slightly different information.

How about this – exported to CSV at another computer. Is this still original?


And what about the one that is converted to syslog in a similar fashion? What if, or horror, TABs are replaces with spaces? Smile

So, what’s the lesson here?  Obsession about “original”, “native”, raw” logs is just not a useful pursuit and it dead-ends pretty quickly.

Instead, you need a clearly understood and documented path of all event records that unambiguously tracks all changes to event records (removals, addition of details, modifications of contents, new headers, etc), not fake and impossible quest for “originality.” For additional reference on trusting logs, check out what Eric Fitzerald wrote about log trust back in the days of his ownership of the Event Log.

Possibly related posts:

Dr Anton Chuvakin