• Title/Summary/Keyword: Windows Event Log

Search Result 5, Processing Time 0.081 seconds

XML-based Windows Event Log Forensic tool design and implementation (XML기반 Windows Event Log Forensic 도구 설계 및 구현)

  • Kim, Jongmin;Lee, DongHwi
    • Convergence Security Journal
    • /
    • v.20 no.5
    • /
    • pp.27-32
    • /
    • 2020
  • The Windows Event Log is a Log that defines the overall behavior of the system, and these files contain data that can detect various user behaviors and signs of anomalies. However, since the Event Log is generated for each action, it takes a considerable amount of time to analyze the log. Therefore, in this study, we designed and implemented an XML-based Event Log analysis tool based on the main Event Log list of "Spotting the Adversary with Windows Event Log Monitoring" presented at the NSA.

Study on Windows Event Log-Based Corporate Security Audit and Malware Detection (윈도우 이벤트 로그 기반 기업 보안 감사 및 악성코드 행위 탐지 연구)

  • Kang, Serim;Kim, Soram;Park, Myungseo;Kim, Jongsung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.3
    • /
    • pp.591-603
    • /
    • 2018
  • Windows Event Log is a format that records system log in Windows operating system and methodically manages information about system operation. An event can be caused by system itself or by user's specific actions, and some event logs can be used for corporate security audits, malware detection and so on. In this paper, we choose actions related to corporate security audit and malware detection (External storage connection, Application install, Shared folder usage, Printer usage, Remote connection/disconnection, File/Registry manipulation, Process creation, DNS query, Windows service, PC startup/shutdown, Log on/off, Power saving mode, Network connection/disconnection, Event log deletion and System time change), which can be detected through event log analysis and classify event IDs that occur in each situation. Also, the existing event log tools only include functions related to the EVTX file parse and it is difficult to track user's behavior when used in a forensic investigation. So we implemented new analysis tool in this study which parses EVTX files and user behaviors.

A Study on the Analysis of Validity and Importance of Event Log for the Detection of Insider Threats to Control System (제어시스템의 내부자 위협 탐지를 위한 Event Log 타당성 및 중요도 분석에 관한 연구)

  • Kim, Jongmin;Kim, DongMin;Lee, DongHwi
    • Convergence Security Journal
    • /
    • v.18 no.3
    • /
    • pp.77-85
    • /
    • 2018
  • With the convergence of communications network between control system and public network, such threats like information leakage/falsification could be fully shown in control system through diverse routes. Due to the recent diversification of security issues and violation cases of new attack techniques, the security system based on the information database that simply blocks and identifies, is not good enough to cope with the new types of threat. The current control system operates its security system focusing on the outside threats to the inside, and it is insufficient to detect the security threats by insiders with the authority of security access. Thus, this study conducted the importance analysis based on the main event log list of "Spotting the Adversary with Windows Event Log Monitoring" announced by NSA. In the results, the matter of importance of event log for the detection of insider threats to control system was understood, and the results of this study could be contributing to researches in this area.

  • PDF

Event Log Validity Analysis for Detecting Threats by Insiders in Control System

  • Kim, Jongmin;Kang, Jiwon;Lee, DongHwi
    • Journal of information and communication convergence engineering
    • /
    • v.18 no.1
    • /
    • pp.16-21
    • /
    • 2020
  • Owing to the convergence of the communication network with the control system and public network, security threats, such as information leakage and falsification, have become possible through various routes. If we examine closely at the security type of the current control system, the operation of the security system focuses on the threats made from outside to inside, so the study on the detection system of the security threats conducted by insiders is inadequate. Thus, this study, based on "Spotting the Adversary with Windows Event Log Monitoring," published by the National Security Agency, found that event logs can be utilized for the detection and maneuver of threats conducted by insiders, by analyzing the validity of detecting insider threats to the control system with the list of important event logs.

Analysis of Unexpected Shutdown Based on Windows Event Log(EVTX) and its Applications in forensic (윈도우 이벤트 로그 기반 PC 비정상 종료 분석 및 활용방안)

  • Kim, Ha-Young;Park, Hyeon-Min;Kim, Gi-Bum
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2022.05a
    • /
    • pp.33-36
    • /
    • 2022
  • 이벤트 로그(Event Log)는 윈도우 운영체제에서 시스템 로그를 기록하는 형식으로 시스템 운영에 대한 정보를 체계적으로 관리한다. 이벤트는 시스템 자체 또는 사용자의 특정 행위로 인해 발생할 수 있고, 그러한 이벤트 로그는 시스템의 시작과 종료뿐만 아니라 기업 보안 감사, 악성코드 탐지 등 행위의 근거로 사용될 수 있다. 본 논문에서는 PC 종료 관련 실험을 통해 이벤트 로그와 ID를 분석하였다. 분석 결과를 통해 PC의 정상 및 비정상 종료 여부를 판단하여, 현장 압수·수색 시 해당 저장매체에 대해 선별압수·매체압수의 해당 여부 식별이 가능하다. 본 연구는 현장수사관이 디지털증거 압수·수색 시 절차적 적법성과 증거능력 확보의 근거 활용에 기여할 수 있다.