Altering Windows XP Professional Event Logs
Posted on 2005-04-08
We know that it is possible to edit event logs and security logs on a pc using windows xp professional. To explain, there is a lawsuit involving timestamps of events that occurred on a particular PC. We need answers to the following:
If someone has administrator access and physical access to a PC, how easy is it for that person to edit and or delete entries of event logs and security logs, particularly timestamps and editing and creating new entries in those logs. I've read stories of international hackers doing it all the time to cover their tracks from pcs remotely, but is there a way for a someone who is computer savvy but not necessarily a full security expert/hacker to do it if they have physical access to a computer, a tutorial, and/or some sort of linux boot disk type software to edit it? or some other way? What i am really looking for is someone to give a links to a websites that has software that can do this or website tutorials that can do this. How quickly could someone edit the timestamps of the logs or fabricate or delete entire logs entries?
More importantly if this is possible, how can we detect these changes on a hard drive to prove in computer forensics that elements of the event logs have been tampered wtih, altered or deleted? Is this possible to detect even if they used another operating system such as a Linux OS on floppy to make the alterations to the drive?
Is it possible to shift the times of the event logs by simply changing the system clock on the PC (using either linux or WinXP itself) and then changing it back to the real time after and then deleting the event log entries that reflect changing the times? If this is possible how can we detect it?
Background understanding of what we are trying to find out: We are investigating how someone in an office could have easily learned how to alter logs by either reading a book or a website or with software. How likely could someone who may not necessarily be a windows security expert but is computer savvy do this? How much planning and time would be required to do this? and most importantly how we can figure out how it was done and prove it was done. We are trying to prove events on the computer took place during a specific time frame, and that the person could have changed the TIMES events on the logs occurred to evade detection and shift blame on to someone else.