Abstract
All operating systems are employing some sort of logging mechanism to track and note users activities and Microsoft Windows is not an exception. Log Analysis is one of the important parts of Windows forensics process. The Windows event log system introducing in Windows NT was released with a new feature for Microsoft Windows family and since then went through several major changes and updates. The event log experienced major updated in Windows 8. This paper first introduces Windows 8 event log format and then proceeds with explaining methods for analyzing the logs for digital investigation and incident handling. The main contributions of this paper are introducing Windows8 logging service and forensic examination of it.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Sharma, H., Sabharwal, N.: Investigating the implications of virtual forensics. In: 2012 International Conference on Advances in Engineering, Science and Management (ICAESM), pp. 617–620. IEEE (2012)
Gupta, S.: Windows Logon Forensics. SANS Institute InfoSec Reading Room. https://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132
Daryabar, F., Dehghantanha, A., Udzir, N.I.: A review on impacts of cloud computing on digital forensics. Int. J. Cyber-Secur. Digit. Forensics (IJCSDF) 2(2), 77–94 (2013)
Aminnezhad, A., Dehghantanha, A., Abdullah, M.: A survey on privacy issues in digital forensics. Int. J. Cyber-Secur. Digit. Forensics (IJCSDF) 1(4), 311–323 (2012)
Dezfoli, F.N., Dehghantanha, A., Mahmoud, R., Sani, N.F.B.M., Daryabar, F.: Digital forensic trends and future. Int. J. Cyber-Secur. Digit. Forensics (IJCSDF) 2(2), 48–76 (2013)
Damshenas, M., Dehghantanha, A., Mahmoud, R., bin Shamsuddin, S.: Forensics investigation challenges in cloud computing environments. In: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 190–194. IEEE (2012)
Parvez, S., Dehghantanha, A., Broujerdi, H.G.: Framework of digital forensics for the samsung star series phone. In: 2011 3rd International Conference on Electronics Computer Technology (ICECT), vol. 2, pp. 264–267. IEEE (2011)
TzeTzuen, Y., Dehghantanha, A., Seddon, A., Mohtasebi, S.H.: Greening digital forensics: opportunities and challenges. In: Das, V.V., Ariwa, E., Rahayu, S.B. (eds.) SPIT 2011. LNICST, vol. 62, pp. 114–119. Springer, Heidelberg (2012)
Daryabar, F., Dehghantanha, A., Broujerdi, H.G.: Investigation of malware defence and detection techniques. Int. J. Digit. Inf. Wireless Commun. (IJDIWC) 1(3), 645–650 (2011)
Mohtasebi, S.H., Dehghantanha, A., Broujerdi, H.G.: Smartphone forensics: a case study with Nokia E5-00 mobile phone. Int. J. Digit. Inf. Wireless Commun. (IJDIWC) 1(3), 651–655 (2011)
Mohtasebi, S.H., Dehghantanha, A.: Towards a unified forensic investigation framework of smartphones. Int. J. Comput. Theory Eng. 5(2), 351–355 (2013)
Saleh, M., Arasteh, A.R., Sakha, A., Debbabi, M.: Forensic analysis of logs: modeling and verification. Knowl.-Based Syst. 20(7), 671–682 (2007)
Borhan, N., Mahmod, R., Dehghantanha, A.: A framework of TPM, SVM and boot control for securing forensic logs. Int. J. Comput. Appl. 50, 15–19 (2012)
Ibrahim, N.M., Al-Nemrat, A., Jahankhani, H., Bashroush, H.: Sufficiency of windows event log as evidence in digital forensics. In: Georgiadis, C.K., Jahankhani, H., Pimenidis, E., Bashroush, R., Al-Nemrat, A. (eds.) ICGS3/e-Democracy 2011. LNICST, vol. 99, pp. 253–262. Springer, Heidelberg (2012)
Schuster, A.: Introducing the Microsoft Vista event log file format. Digit. Invest. 4, 65–72 (2007)
Guy Thomas.: Microsoft Windows 8 Event Viewer. Computer Performance LTD. http://www.computerperformance.co.uk/win8/windows8-event-viewer.htm
Microsoft Corporation, Redmond.: Event Logging. http://msdn.microsoft.com/en-us/library/windows/desktop/aa363632(v=vs.85).aspx
Microsoft Corporation, Redmond.: Event Types. http://msdn.microsoft.com/en-us/library/windows/desktop/aa363632(v=vs.85).aspx
Fleisher, E.: Windows 8 Forensics: Reset and Refresh Artifacts., cyber arms – computer security. http://www.computerperformance.co.uk/win8/windows8-event-viewer.htm
Brengle, M.: Working with the Event Viewer in Windows., 7 tutorials-Help & Howto for windows. http://www.7tutorials.com/basics-about-working-event-viewer-windows
InsungPark, Buch, R.: Improve Debugging And Performance Tuning With ETW., MSDN Magazine. http://msdn.microsoft.com/en-us/magazine/cc163437.aspx
Microsoft Corporation, Redmond.: What information appears in event logs. http://windows.microsoft.com/en-us/windows/what-information-event-logs-event-viewer#1TC=windows-7
TZWorks Limited Liability Company.: Windows Event Log Viewer. TZWorksLLC. https://www.tzworks.net/index.html
Microsoft Corporation, Redmond.: Event Logging. http://msdn.microsoft.com/en-us/library/windows/desktop/aa363652(v=vs.85).aspx
Microsoft Corporation, Redmond.: Event Log File Format. http://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx
Von Schuster, A.: Evtx Data Types., Computer-Forensik. http://computer.forensikblog.de/en/2007/08/evtx-data-types.html
Verma, P.: Basics of Forensics Log Analysis., Information Security Intelligence. http://palizine.plynt.com/issues/2009Oct/forensic-log-analysis/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Talebi, J., Dehghantanha, A., Mahmoud, R. (2015). Introducing and Analysis of the Windows 8 Event Log for Forensic Purposes. In: Garain, U., Shafait, F. (eds) Computational Forensics. IWCF IWCF 2012 2014. Lecture Notes in Computer Science(), vol 8915. Springer, Cham. https://doi.org/10.1007/978-3-319-20125-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-20125-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20124-5
Online ISBN: 978-3-319-20125-2
eBook Packages: Computer ScienceComputer Science (R0)