[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

Altering Windows XP Professional Event Logs

We know that it is possible to edit event logs and security logs on a pc using windows xp professional.  To explain, there is a lawsuit involving timestamps of events that occurred on a particular PC.  We need answers to the following:

If someone has administrator access and physical access to a PC, how easy is it for that person to edit and or delete entries of event logs and security logs, particularly timestamps and editing and creating new entries in those logs.  I've read stories of international hackers doing it all the time to cover their tracks from pcs remotely, but is there a way for a someone who is computer savvy but not necessarily a full security expert/hacker to do it if they have physical access to a computer, a tutorial, and/or some sort of linux boot disk type software to edit it? or some other way?    What i am really looking for is someone to give a links to a websites that has software that can do this or website tutorials that can do this.  How quickly could someone edit the timestamps of the logs or fabricate or delete entire logs entries?

More importantly if this is possible, how can we detect these changes on a hard drive to prove in computer forensics that elements of the event logs have been tampered wtih, altered or deleted?  Is this possible to detect even if they used another operating system such as a Linux OS on floppy to make the alterations to the drive?  

Is it possible to shift the times of the event logs by simply changing the system clock on the PC (using either linux or WinXP itself) and then changing it back to the real time after and then deleting the event log entries that reflect changing the times?  If this is possible how can we detect it?  

Background understanding of what we are trying to find out:   We are investigating how someone in an office could have easily learned how to alter logs by either reading a book or a website or with software.  How likely could someone who may not necessarily be a windows security expert but is computer savvy do this?  How much planning and time would be required to do this?  and most importantly how we can figure out how it was done and prove it was done.   We are trying to prove events on the computer took place during a specific time frame, and that the person could have changed the TIMES events on the logs occurred to evade detection and shift blame on to someone else.
0
liveem9
Asked:
liveem9
  • 3
  • 2
  • 2
  • +2
3 Solutions
 
Exchange_AdminCommented:
I think you really need to hire a qualified security expert.

Forgive me if I am wrong, but I would rather err on the side of safety than give information to someone trying to do what you are asking.

0
 
liveem9Author Commented:
Are my assumptions correct (if you are reluctant to give a how to explaination), can you give me a possible to do, not possible to do, or unlikey to do to answer each of my questions and why.  Then can you recommend a reputable computer expert in the los angeles who can give expert witness testimony because undoubtably the other party in the case will have their expert witness as well.
0
 
liveem9Author Commented:
Because we have mirror images of the hard drives in evidence, what i will need a "how to explaination" is how do we do a through search on the hard drives to look for traces and footprints that alterations took place.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Exchange_AdminCommented:
No offense intended with this statement.
I can not or will not give explainations about this. Please respect that since this is a message board, people can only assume they are who they say.

Once again I suggest you hire a qualified security expert. Unfortunately I do not know anyone in your area.

Sorry.

Oh by the way, please don't award points to me. If nobody else can or will assist you then ask the moderator for a refund.
0
 
CodedKCommented:
Hi..

You can google.. and find some answers really quick...
So answering to your question Yes someone can easily alter the dates using google to find how...

Anyway i agree with Exchange_Admin... You cant get links to such tools inside EE... :/
0
 
Carlo-GiulianiCommented:
Forging logs is not difficult for somebody with physical access to the PC.   It is not difficult to make it undetectable, *unless* there are relevant logs stored in central location....like domain login events stored on the domain controllers. Specific steps to demonstrate how this can be done would depend on the details of *exactly* what they want to change and what external connections the PC may have the would generate

It is relatively easy to falsify in an undetectable way on an individual PC, but more difficult to creating contradictions with logs on any central servers.  It all depends on how the network is configured.

0
 
liveem9Author Commented:
So you know the configuration, there is no domain server 6 computers are connected merely by workgroup.  There was no central domain server.  Would that make a difference in seeing if logs were altered?  I need some way to prove alterations took place, please focus on that.
0
 
Carlo-GiulianiCommented:
If you want to look for evidence that the log contents are false, you will have to provide a lot of detail about exactly what you believe has been falsified.  I don't think it is appropriate to publish those kinds of details about a legal dispute in a public forum.

If somebody did falsify the logs, and there is no domain or other central logging, there may be *no* way to prove they have been modified...unless they were clumsy.  The most you can *prove* is that the logs *could* be falsified.      

0
 
Rich RumbleSecurity SamuraiCommented:
You can try to prove the alterations took place if you use an "undelete" utility, but as described here, what is even more admissible or actionable are backup's of the log's or data. An undelete utility such as the one's offered by Ontrack http://www.ontrack.com/Homepage.aspx?id=3&pagename=Software or LC http://www.lc-tech.com/ 

The key to data recovery is to make as little change to the drives as possible, so if possible, turn of the pc's do not boot them. Install them as a secondary drive in another pc, or as a secondary array if they are in a raid format... you can recover multiple copies of the same files using this software.

You cannot alter the previous entries in a log by simply rolling the time FWD or BKWD, this will only effect the current log's that take place. They are easily editable in word or notepad or any other editing type of program. Event log's can even be copied from one machine to another, and the PC will just append it's entries to the NT event log's.

For future reference, you may consider programs like Snare and even tripwire to monitor changes in vital programs such as what's possibly happened to you
http://www.intersectalliance.com/projects/SnareWindows/index.html 
http://www.tripwire.org/downloads/index.php
http://support.microsoft.com/?id=318763#7
With any luck, you'll be able to recover previous versions with around the same size, if you MD5 and or SHA-1 the log's, and even view them to see how they are very identical, yet altered. The main thing is to have law enforcment involved in the process, and to have your plan fully laid out and documented.

http://www.cert.org/tech_tips/FBI_investigates_crime.html
http://www.cert.org/security-improvement/modules/m06.html
More info is available at the CERT website, and through the "Computer Forensics" book ISBN# 0201707195
http://www.amazon.com/exec/obidos/ASIN/0201707195/qid=1113271709/sr=2-1/ref=pd_bbs_b_2_1/102-0799277-6368149
and
http://www.amazon.com/exec/obidos/ASIN/0072256753/qid=1113271709/sr=2-3/ref=pd_bbs_b_2_3/102-0799277-6368149
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Split
-rich
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now