liveem9
asked on
Altering Windows XP Professional Event Logs
We know that it is possible to edit event logs and security logs on a pc using windows xp professional. To explain, there is a lawsuit involving timestamps of events that occurred on a particular PC. We need answers to the following:
If someone has administrator access and physical access to a PC, how easy is it for that person to edit and or delete entries of event logs and security logs, particularly timestamps and editing and creating new entries in those logs. I've read stories of international hackers doing it all the time to cover their tracks from pcs remotely, but is there a way for a someone who is computer savvy but not necessarily a full security expert/hacker to do it if they have physical access to a computer, a tutorial, and/or some sort of linux boot disk type software to edit it? or some other way? What i am really looking for is someone to give a links to a websites that has software that can do this or website tutorials that can do this. How quickly could someone edit the timestamps of the logs or fabricate or delete entire logs entries?
More importantly if this is possible, how can we detect these changes on a hard drive to prove in computer forensics that elements of the event logs have been tampered wtih, altered or deleted? Is this possible to detect even if they used another operating system such as a Linux OS on floppy to make the alterations to the drive?
Is it possible to shift the times of the event logs by simply changing the system clock on the PC (using either linux or WinXP itself) and then changing it back to the real time after and then deleting the event log entries that reflect changing the times? If this is possible how can we detect it?
Background understanding of what we are trying to find out: We are investigating how someone in an office could have easily learned how to alter logs by either reading a book or a website or with software. How likely could someone who may not necessarily be a windows security expert but is computer savvy do this? How much planning and time would be required to do this? and most importantly how we can figure out how it was done and prove it was done. We are trying to prove events on the computer took place during a specific time frame, and that the person could have changed the TIMES events on the logs occurred to evade detection and shift blame on to someone else.
If someone has administrator access and physical access to a PC, how easy is it for that person to edit and or delete entries of event logs and security logs, particularly timestamps and editing and creating new entries in those logs. I've read stories of international hackers doing it all the time to cover their tracks from pcs remotely, but is there a way for a someone who is computer savvy but not necessarily a full security expert/hacker to do it if they have physical access to a computer, a tutorial, and/or some sort of linux boot disk type software to edit it? or some other way? What i am really looking for is someone to give a links to a websites that has software that can do this or website tutorials that can do this. How quickly could someone edit the timestamps of the logs or fabricate or delete entire logs entries?
More importantly if this is possible, how can we detect these changes on a hard drive to prove in computer forensics that elements of the event logs have been tampered wtih, altered or deleted? Is this possible to detect even if they used another operating system such as a Linux OS on floppy to make the alterations to the drive?
Is it possible to shift the times of the event logs by simply changing the system clock on the PC (using either linux or WinXP itself) and then changing it back to the real time after and then deleting the event log entries that reflect changing the times? If this is possible how can we detect it?
Background understanding of what we are trying to find out: We are investigating how someone in an office could have easily learned how to alter logs by either reading a book or a website or with software. How likely could someone who may not necessarily be a windows security expert but is computer savvy do this? How much planning and time would be required to do this? and most importantly how we can figure out how it was done and prove it was done. We are trying to prove events on the computer took place during a specific time frame, and that the person could have changed the TIMES events on the logs occurred to evade detection and shift blame on to someone else.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Because we have mirror images of the hard drives in evidence, what i will need a "how to explaination" is how do we do a through search on the hard drives to look for traces and footprints that alterations took place.
No offense intended with this statement.
I can not or will not give explainations about this. Please respect that since this is a message board, people can only assume they are who they say.
Once again I suggest you hire a qualified security expert. Unfortunately I do not know anyone in your area.
Sorry.
Oh by the way, please don't award points to me. If nobody else can or will assist you then ask the moderator for a refund.
I can not or will not give explainations about this. Please respect that since this is a message board, people can only assume they are who they say.
Once again I suggest you hire a qualified security expert. Unfortunately I do not know anyone in your area.
Sorry.
Oh by the way, please don't award points to me. If nobody else can or will assist you then ask the moderator for a refund.
Hi..
You can google.. and find some answers really quick...
So answering to your question Yes someone can easily alter the dates using google to find how...
Anyway i agree with Exchange_Admin... You cant get links to such tools inside EE... :/
You can google.. and find some answers really quick...
So answering to your question Yes someone can easily alter the dates using google to find how...
Anyway i agree with Exchange_Admin... You cant get links to such tools inside EE... :/
Forging logs is not difficult for somebody with physical access to the PC. It is not difficult to make it undetectable, *unless* there are relevant logs stored in central location....like domain login events stored on the domain controllers. Specific steps to demonstrate how this can be done would depend on the details of *exactly* what they want to change and what external connections the PC may have the would generate
It is relatively easy to falsify in an undetectable way on an individual PC, but more difficult to creating contradictions with logs on any central servers. It all depends on how the network is configured.
It is relatively easy to falsify in an undetectable way on an individual PC, but more difficult to creating contradictions with logs on any central servers. It all depends on how the network is configured.
ASKER
So you know the configuration, there is no domain server 6 computers are connected merely by workgroup. There was no central domain server. Would that make a difference in seeing if logs were altered? I need some way to prove alterations took place, please focus on that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Split
-rich
-rich
ASKER