Windows Event Records and how AIR handles them

Event Log files serve as a crucial repository for log data within the Microsoft Windows OS, archiving a range of events and errors from system components and applications. Windows provides specialized APIs and services for event logging, supplemented by utilities like the Event Viewer for in-depth analysis.

These Event Log files detail a huge number of system events each with a Windows Event ID number. The Windows Events all fall within 5 categories; application, security, setup, system and forwarded events, all generally concerned with errors, warnings, and informational messages.

Below are a couple of examples of Windows Event IDs, the details of which will show information such as when and to what SSID the user’s system was engaged with, potentially very valuable information to investigators:

• Event ID 8001: WLAN AutoConfig service has successfully connected to a wireless network.

• Event ID 8002: WLAN AutoConfig service has successfully disconnected from a wireless network.

As of Windows Vista, these files are generally located in "C:\Windows\System32\winevt\Logs" and come in either ".evt" or ".evtx" formats. The modern ".evtx" format, introduced with Windows Vista, employs an XML-based structure, offering advantages in efficiency, file size, and compatibility over the legacy ".evt" format.

Binalyze AIR will collect (‘dump’) and store the assets ‘EVT’ and ‘EVTX’ files when tasked to do so via an Acquisition Profile:

By selecting ‘EVT Records’, AIR will parse the most recent event logs and present them to the investigator in the Investigation Hub. These parsed logs are likely to be those that are the most relevant to any current investigation.

AIR will parse 171 specifically selected event types, these being the event entries most commonly found to be valuable in DFIR investigations. The full list of the 171 can be viewed here:

These logs are queried by ‘reverse iteration’, so the most recent log is parsed first. For each individual event type, AIR will parse the logs and present them to the investigator in the Investigation Hub.

In the Investigation Hub (formerly Consolidated Reports) AIR will collect up to 2695 events for each event type and these are saved to the Postgres database to support the Investigation Hub.

Currently we restrict the collection to 200,000 records to avoid bloating the reports with non relevant data. It is important to remember that the full event log files are available to the investigator when ‘EVT’ and ‘EVTX’ files are selected for collection in an Acquisition Profile.