Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.3.591

Study on Windows Event Log-Based Corporate Security Audit and Malware Detection  

Kang, Serim (Dept. of Financial Information Security, Kookmin University)
Kim, Soram (Dept. of Financial Information Security, Kookmin University)
Park, Myungseo (Dept. of Financial Information Security, Kookmin University)
Kim, Jongsung (Dept. of Financial Information Security, Kookmin University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.3, 2018 , pp. 591-603 More about this Journal
Abstract
Windows Event Log is a format that records system log in Windows operating system and methodically manages information about system operation. An event can be caused by system itself or by user's specific actions, and some event logs can be used for corporate security audits, malware detection and so on. In this paper, we choose actions related to corporate security audit and malware detection (External storage connection, Application install, Shared folder usage, Printer usage, Remote connection/disconnection, File/Registry manipulation, Process creation, DNS query, Windows service, PC startup/shutdown, Log on/off, Power saving mode, Network connection/disconnection, Event log deletion and System time change), which can be detected through event log analysis and classify event IDs that occur in each situation. Also, the existing event log tools only include functions related to the EVTX file parse and it is difficult to track user's behavior when used in a forensic investigation. So we implemented new analysis tool in this study which parses EVTX files and user behaviors.
Keywords
Windows Event Log; Digital Forensic; Anti-Forensic;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Ultimate Windows Security, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663
2 Igloo Security, http://www.igloosec.co.kr/BLOG_%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C%20%EA%B0%90%EC%97%BC%20%EC%82%AC%EC%9A%A9%EC%9E%90%EC%9D%98%20%EB%A1%9C%EA%B7%B8%20%ED%96%89%EC%9C%84%20%EB%B6%84%EC%84%9D?searchItem=&searchWord=&bbsCateId=47&gotoPage=1
3 Wikipedia, https://en.wikipedia.org/wiki/Event_Viewer
4 FSPro Labs, https://eventlogxp.com/
5 Andreas Schuster, "Introducing the Microsoft Vista event log file format", Digital Investigation, vol. 4, pp.67-69, Sep. 2007.
6 Github, https://github.com/libyal/libexe/blob/master/documentation/Executable%20(EXE)%20file%20format.asciidoc
7 Microsoft Developer Network, https://msdn.microsoft.com/ko-kr/library/windows/desktop/aa363632(v=vs.85).aspx
8 Github, https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc