Windows Forensic — Audit Log Cleared

picoCTF เป็นเกม ด้าน computer security ที่จัดโดย มหาวิทยาลัย Carnegie Mellon หรือ CMU ที่มุ่งเป้าไปที่นักเรียนมัธยมและ มหาวิทยาลัยให้มาแสดงทักษะความสามารถ

photo Credit:PicoCTF

Description

One of the employees at your company has their computer infected by malware! Turns out every time they try to switch on the computer, it shuts down right after they log in. The story given by the employee is as follows:

1. They installed software using an installer they downloaded online
2. They ran the installed software but it seemed to do nothing
3. Now every time they bootup and login to their computer, a black command prompt screen quickly opens and closes and their computer shuts down instantly.

See if you can find evidence for the each of these events and retrieve the flag (split into 3 pieces) from the correct logs!
The analysis of Windows Event Logs should follow the digital forensic methodology recommended by the National Institute of Standards and Technology (NIST SP 800-86), which includes the stages of collection, examination, analysis, and reporting.

Collection of digital evidence

1️⃣ Evidence Identification (ระบุหลักฐาน)

File Name: Windows_Logs.evtx

Source: Employee Workstation(PicoCTF) Download the Windows Log file here
Evidence Type: Windows Event Log

2️⃣ Evidence Preservation (การรักษาหลักฐาน)

#Get-FileHash Windows_Logs.evtx

MD5    checksum:       630F28FF65702E0794256E87172C39CB

SHA1    checksum:      7D242525D3A1FA26923821F9C4416A895BB3C7F6

 

Step > Action

Receive evidence> Investigator

Calculate hash > SHA1 ,MD5

Store copy > Forensic workstation

3️⃣ Create Working Copy

Windows_Logs_original.evtx >  Windows_Logs_analysis.evtx

4️⃣ Evidence Examination

Forensic tools

• Event Viewer
• PowerShell

Examination of forensic artifacts

5️⃣ Event Log Classification

Log Type	Description
Security	Authentication events

6️⃣  Identify Suspicious Events

Event ID Description

• 1102 Audit Log Cleared
  
• 1033 Windows Installer
• 4657 Registry Value Modified
• 1074 System Shutdown

Event Analysis: Event ID 1102 – Audit Log Cleared

The screenshot shows a Windows Security Event Log entry with Event ID 1102.

 In digital forensic investigations, Event ID 1102 is considered a highly suspicious event because it may indicate an attempt to remove evidence from the system.

Attackers or malicious software may clear logs in order to:

• hide malicious activities

• remove traces of system compromise

• prevent investigators from reconstructing the attack timeline

Therefore, this event is often associated with anti-forensic behavior.

Event Analysis: Event ID 1033 – Windows Installer Activity

The screenshot shows a Windows Application Event Log entry with Event ID 1033, generated by the Windows Installer service. However, the Manufacturer field contains an encoded value, which is unusual and may indicate hidden information. 

cGljb0NURntFdjNudF92aTN3djNyXw== This format resembles Base64 encoding, a common encoding method used to represent binary or text data. 

Malicious software installers sometimes embed encoded or obfuscated values in metadata fields to:

• hide commands
• store configuration data
• conceal indicators of compromise

Event ID 4657 – Registry Value Modified 

The screenshot shows a Windows Security Event Log entry with Event ID 4657, which indicates that a registry value has been modified on the system.

The presence of Event ID 4657 suggests that the installed program modified the Windows Registry, which may indicate that malware created a persistence mechanism.

Event ID 1074 — System Shutdown Initiated The screenshot shows a Windows System Event Log entry with Event ID 1074, which records that a process initiated a system shutdown or restart.

Relationship to the Incident Scenario

The employee reported:

1️⃣ They installed software downloaded from the internet
2️⃣ The software appeared to do nothing
3️⃣ A command prompt briefly appears during login
4️⃣ The computer shuts down immediately

The forensic evidence supports this narrative.

Evidence Correlation Timeline

Analysis and timeline reconstruction

7️⃣ Timeline Reconstruction

Time Event ID     Event

03:55:14 1102     Audit log cleared

03:55:57 1033     Software installed

03:56:19 4657     Registry modified

05:02:35 1074     System shutdown

Reporting and documentation of findings

Investigation Conclusion

The analysis of Windows Event Logs revealed a sequence of suspicious events.

Key findings include:

• Installation of potentially malicious software

• Registry modification suggesting persistence mechanism

• Programmatic system shutdown initiated by shutdown.exe

These events indicate a likely malware infection affecting the system.

Further investigation should include:

• malware analysis

• registry artifact examination

• disk forensic analysis

Ref: 

PicoCTF

Digital forensic analysis conducted according to:

• NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response

อ่านเพิ่มเติม: 

• picoCTF
• log file Analysis
• การตรวจสอบเหตุการณ์การเปิดและปิดระบบบนระบบปฎิบัติการวินโดว์
• Identifying uninstalled software using Event Logs with Osforensics
• How to Determine the Last Shutdown Time and Date in Windows
• How To Check If Someone Else Is Using Your Computer
• Windows Activate Event log
• Wi-Fi History Forensic Investigation
• Windows Event Viewer

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud