Windows Event Records and how AIR handles them

AIR v4.23 enables users to fully customize event log collections based on specific channels, event IDs, and collection parameters, making investigations more efficient and precise.

When discussing Windows Event Logs, it’s important to understand two key concepts: channels and event IDs.

1. Channel: A channel in Windows Event Logs refers to a specific "log" or source of events. Windows organizes event logs into several channels, each dedicated to logging specific types of events. Examples of commonly investigated channels include:

   • Application: Logs events from applications running on the system.

   • Security: Logs security-related events, such as logon attempts or resource access.

   • System: Logs system-level events, including hardware failures and system services.

   • Setup: Logs setup-related events, typically related to Windows installation and updates.

2. In the context of Binalyze AIR, channels can be essential when filtering or triaging specific logs during forensic analysis. Using channels, investigators can isolate relevant events to gain more efficient insights.

3. Event ID: An event ID is a unique identifier for a specific type of event within a channel. Windows assigns an event ID to categorize the nature of the event. For example:

   • Event ID 4624 in the Security channel represents a successful user login.

   • Event ID 6006 in the System channel indicates a system shutdown.

4. Event IDs are critical for identifying and understanding specific actions or issues in the system. In forensic investigations with solutions like Binalyze AIR, event IDs are used to pinpoint exact events relevant to a security incident, helping investigators build timelines and correlate suspicious activity.

In Binalyze AIR's Investigation Hub, filtering by channels and event IDs allows analysts to narrow down logs quickly to focus on those most relevant to an investigation​​​.

Key Features introduced in AIR v4.23:

• AIR will now allow users to collect and present all event logs OR

• Define specific channels for event log collection.

• Users can select event IDs from the AIR list of over 200 of the most commonly used in DFIR or manually add custom channels and event IDs.

• With event ID selections made an additional parameter is required:

  • Select the number of records to collect OR

  • Select date ranges for log collection, allowing for targeted log retrieval.

How It Works:

A new Event Log Records configuration tab has been added to the “New Acquisition Profile” wizard:

If you are already building an acquisition profile you will eventually come to the EventLogs section and you will not notice a new configuration button which will take you to the Event Log Records tab as discussed above:

To enable this feature switch on the EVT Log Records by toggling on the switch shown below and then either:

• Choose from a predefined list of 201 event IDs or,

• Input custom channel and event IDs using the Add New Event Type option.

The example below demonstrates how to manually add an event ID that is not included in the 201 provided by AIR. This is typically only necessary for rare, specialized cases, as the 201 event IDs cover the most common scenarios comprehensively:

Once configured, the new Acquisition Profile will be saved and can be reused in future investigations by selecting it from the Acquisition Profiles Library.

When running an Acquisition Profile that includes event log records, users must select between two additional Event Log Records Configurations options:

1. Collect last ‘N’ records – This gathers the most recent ‘N’ records for each event ID, in the example below this is set to 4000:

1. Collect records between start and end dates – In the example below we have used the date/time picker to choose the last 24 hours option and you can see those dates/times are automatically populated in the start and end boxes:

The dates and times selected in the 'picker' align with the target asset's system date and time settings, as displayed in the browser.

These features enable highly focused and relevant data collection, drastically reducing the manual effort needed to filter out unnecessary data and ensuring that critical events are captured during investigations.

Here’s a list of what some may consider the top ten event IDs often used to support DFIR Investigations:

1. Event ID 4624 - Successful Account Logon Tracks successful user logins, essential for identifying legitimate access.

2. Event ID 4625 - Failed Account Logon Logs failed login attempts, useful for detecting brute-force attacks.

3. Event ID 4776 - Credential Validation Indicates whether a user's credentials were successfully validated by a domain controller.

4. Event ID 4688 - Process Creation Records every process started on the system, useful for spotting suspicious activity.

5. Event ID 4648 - Logon Using Explicit Credentials Detects when credentials are used for network logon, helping track lateral movement.

6. Event ID 4663 - Object Access Logs when an object (like a file or folder) is accessed, crucial for monitoring sensitive data access.

7. Event ID 4698 - Scheduled Task Creation Captures when a scheduled task is created, often used by attackers for persistence.

8. Event ID 4719 - Audit Policy Change Tracks changes to audit policies, which may indicate an attempt to cover tracks.

9. Event ID 1102 - Audit Log Cleared Logs when the security log is cleared, a common indicator of malicious activity.

10. Event ID 4672 - Special Privilege Assigned Monitors when special privileges (like admin rights) are assigned, helping detect privilege escalation.