Solved

What tools are out there to modify security and event logs on Windows 2003 and Windows 2008

Posted on 2014-11-03
3
82 Views
Last Modified: 2014-12-04
Hi ,

Is it possible for someone to modify the security logs on Windows 2003 and 2008 ?
What are the tools he could use ?

thanks
0
Comment
Question by:c_hockland
  • 2
3 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40420577
Your question needs to be clarified. Are you seeking info about possible attack vectors? Some attacker trying to delete traces?

You cannot modify log files while the eventlog service is running - it won't let you. And offline attacks are quite complicated, too.

But first clarify.
0
 

Author Comment

by:c_hockland
ID: 40420971
yes , is it possible for someone to turn off the service and modify entries on the event logs ?   for example edit a user name that accessed the server ?  ( referring to possible attack vectors)
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40421137
I must confess, I have not worried about this too much.
But I found out: If you try to edit the eventlog file offline, the system declares it as corrupted (I just changed one single letter of a username) and creates a new, empty file. The old one remains with extension .corrupted.evtx
If, when online, you try to stop that service, it immediately restarts and there is no chance to exchange the file, at least not on my test machine with win8.1
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
OfficeMate Freezes on login or does not load after login credentials are input.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now