WINDOWS EVENT TRACE LOGS. SANS DFIR Summit 2018 Nicole Ibrahim G-C Partners, LLC

Transcription

1 Nicole Ibrahim

2 WINDOWS EVENT TRACE LOGS SANS DFIR Summit 2018 Nicole Ibrahim G-C Partners, LLC

3 WHO AM I What I do Forensic examiner, researcher and developer with G-C Partners, LLC Why I do it Artifact junkie Always looking for new artifacts Why I m here Spread the knowledge So much data Need others to help

4 AGENDA Looking at ETLs from a Forensics standpoint. What are Event Trace Logs? Why are they created? How can we decode them? What information do they provide? Limitations and caveats

5 WINDOWS EVENT TRACE LOGS Event Tracing for Windows (ETW) sessions stored to disk ETW was released with Windows 2000 ETL file extension Similar to EVT/EVTX files Found in numerous locations on Windows systems Not all ETLs are present on all systems

6 WHY ARE THEY CREATED? Windows performance, debugging, troubleshooting Kernel tasks that run at startup and shutdown Power diagnostics and sleep studies Developer debugging Tracing can be enable at any point and for any reason during an applications runtime Stacks and calls Think application crash but really can be anything that the developer chooses to monitor Administrative tasks Manually execute event traces for the system and store to disk for later review

7 WHAT DO THEY CONTAIN? All types of information, from Cortana searches to nearby WiFi SSIDs Header Data Session information Event Data Timestamps Provider and event names Process and thread ID Level and Task The payload

8 ETW TECHNOLOGIES Managed Object Format (MOF) Kernel events use this In CIM repository Trace Message Format (TMF) Uses PDBs and PE files Manifest-based Uses files formatted as XML Need to be registered on the system Requires the resourcefilename and messagefilename from the manifest to properly decode data (Full absolute path on the system) Tracelogging (TL) Necessary decoding information is embedded into ETL Introduced with Windows 10

9 SO, HOW CAN WE DECODE THEM? Windows Event Viewer Built-in tool Microsoft Message Analyzer Free tool download from Microsoft Windows SDK tools Several development tools available when you install SDK ETL Viewer C# tool written by G-C Partners TraceLogging ETLs are not understood in Windows versions prior to 10 All tools have limitations in decoding/parsing ETLs from other systems

10 WINDOWS EVENT VIEWER Within Event Viewer, open an ETL by using the Open Saved Log Basic data displayed Displays some data incorrectly as if the ETL originated from the current system Does not always decode payload

11 WiFi.etl: Event Viewer knows how to parse this record

12 MICROSOFT MESSAGE ANALYZER Download free tool from Microsoft and configure Powerful at decoding event data Learning curve Reports are configurable and exportable Still does not parse all events Provides more rich data than Event Viewer

13

14 ETL VIEWER Simple user interface Categorizes by event name Still does not parse all payloads Instead it dumps the payload to human readable

15

16 COMMON ETL FILES C:\Windows\System32\WDI\LogFiles BootCKCL.etl ShutdownCKCL.etl SecondaryLogOnCKCL.etl WdiContext.etl.<###> C:\Windows\System32\WDI\<GUID>\<GUID> snapshot.etl C:\Windows\System32\LogFiles\WMI Wifi.etl LwNetLog.etl C:\Windows\System32\SleepStudy UserNotPresentSession.etl abnormal-shutdown-<yyyy>-<mm>-<dd>-<hh>-<mm>-<ss>.etl user-not-present-trace-<yyyy>-<mm>-<dd>-<hh>-<mm>-<ss>.etl ScreenOnPowerStudyTraceSession-<YYYY>-<MM>-<DD>-<HH>-<MM>-<SS>.etl

17 BOOTCKCL C:\Windows\System32\WDI\LogFiles\BootC KCL.etl Overwritten each time the system is booted Kernel events captured during the boot process Processes Threads DiskIO FileIO Image loading (DLLs, EXEs,..) Forensics Processes that ran at last boot Persistence mechanisms Malicious tools Scheduled tasks that are set to run at boot or user logon File handles across all attached drives Determine what DLLs were loaded by a process Commands run

18

19

20 SHUTDOWNCKCL C:\Windows\System32\WDI\LogFiles\Shutd ownckcl.etl Overwritten each time the system is shut down Kernel events captured during the shut down process Running processes Running Threads Images loaded (DLLs, EXEs,..) Forensics Processes that were running when system last shut down Malicious tools Determine what DLLs were loaded by a process Commands run

21

22

23 WIFI TRACES C:\Windows\System32\LogFiles\WMI\Wifi.etl Not fully parsable yet WPP events requiring PDBs and DLLs WiFi network related events: WiFi Configuration AutoConfig information Forensics Nearby network SSIDs WiFi configuration MAC Addresses Network status changes Possibly more data

24

25 ENERGY-NTKL TRACES C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\ energy-ntkl.etl Power diagnostics System configuration Logical drives Physical drives NIC Process and Thread Services More Forensics Detailed information about internal and external drives Running services Processes

26

27

28

29 WDICONTEXTLOG TRACES C:\Windows\System32\WDI \LogFiles\ WdiContextLog.etl.### Information related to user logon Explorer Startup Executing from Run key Executing from Startup key

30

31 OTHER OBSERVED ETLS Over 80 observed different ETL files Some only contain the Trace Header Others contain varying amounts and kinds of information

32 CAVEATS Logs overwritten Circular Logs with no event data ETL files with size of zero Carving may be possible Timestamps and sessions Snapshots Decoding challenges Symbols from older software builds cannot be matched New software build/os updates Stripped symbols So much data

33 QUESTIONS? Nicole Ibrahim Consultant G-C Partners,