WINDOWS EVENT LOG INTERPRETER AND VISUALISER

Quang Do Jia Ming LooiAlexander StewartYu Wang

TABLE OF CONTENTSAbstract................................................................................................................................................................................... 3

1. Introduction...................................................................................................................................................................... 4

2. Background.......................................................................................................................................................................5

2.1 Visualisation...................................................................................................................................................................5

2.1.1 Scatter Plot Graphs.............................................................................................................................................6

2.1.2 Tree Maps............................................................................................................................................................... 7

2.1.3 Heat Maps............................................................................................................................................................... 8

2.1.4 Bar Graphs..............................................................................................................................................................9

2.1.5 Timetables........................................................................................................................................................... 10

2.1.6 What are the problems with Current Digital Forensics Visualisations?..................................11

2.2 Windows Event Logs...............................................................................................................................................13

2.2.1 Drawbacks...........................................................................................................................................................13

2.3 Gaps In Knowledge...................................................................................................................................................14

3. Software Package.........................................................................................................................................................15

3.1 Design Principles..................................................................................................................................................15

3.2 System Infrastructure........................................................................................................................................16

3.3 User Interface.........................................................................................................................................................17

4. Conclusion and Future Work..................................................................................................................................20

4.1 Future Work...........................................................................................................................................................20

4.2 Conclusion............................................................................................................................................................... 20

Appendix A.......................................................................................................................................................................... 21

Event IDs..........................................................................................................................................................................21

Disabled By Default.....................................................................................................................................................21

References........................................................................................................................................................................... 22

ABSTRACT

Windows event log files are a source of valuable information regarding the use of a particular computer at a given time. This information has the potential to be an important resource in the field of digital forensics. This paper will aim to explore what possible information can be retrieved from the analysis of windows system event logs, more specifically, Windows Vista/7 EVTX event logs. In addition, we will cover how this information can be displayed efficiently and concisely for the use in a police conducted e-crime investigation.

3

1. INTRODUCTIONWindows event logs first started to appear in the Windows 2000 operating system environment in the EVT format. They were initially used to track incidents relating to hardware and software failures in a working machine in order to assist with the recovery of lost data and preventing the same issues from occurring again in the future. Since then, the windows event log has evolved into the EVTX format for the release of Windows Vista. The new logging format now includes a more detailed and complete range error reporting features (B. Charter, 2008).

In the modern age, Windows event logs can be used for a variety of other tasks such as. In addition to this, Windows event logs are a potential source of electronic evidence in a digital forensic investigation (for both traditional criminal activity and cybercrime).This can be done by using the digital logs as proof of certain events occurring on a given windows machine such as, but not limited to, the time when the machine has been logged into by a user and the time when the user was logged off. The range possible events that would be relevant in a digital forensic investigation is something that has until now been a vague and generally unknown topic. These details will be investigated throughout this paper in order to aid with future investigations.

4

2. BACKGROUND

2.1 VISUALISATIONInformation visualisation is a mature field, with a wide range of techniques and technologies that have already been applied successful to many domains (Krasser, Conti, Grizzard, Gribschaw, & Owen, 2005).Work by Krasser et al. (2005) for instance, highlights how visualisations can be used to examine large sets of data, in this particular case network security data. The tools developed enabled rapid scanning of large data sets as well as facilitation of ‘at a glance’ insights supporting the monitoring of network traffic and intrusion detection. As such, it is envisaged that these types of techniques could easily be applied to a digital forensics context and extended to provide exploration of multiple sets of data from many digital evidence sources.Teelink&Erbacher (2006), for example, demonstrated how visualisation techniques can be used to aid investigators in their forensic data analysis process. The interactive capabilities of the visualisation tools presented in their study help facilitate speed improvements in the digital forensics process, by reducing the time required to identify ‘suspicious’ files. Their tool shows file size, access times, creation date, file owner and file type as metadata to the investigator, and also attempts to create links between files, using pattern matching techniques. Investigators are also able to preview the contents of each file that is shown using the visualisation. The visualisation tool was primarily aimed at the identification of hidden or ‘suspicious’ files on a system and only examined one data source at a time. Essentially the results provide a comparison between an investigator’s ability to find files using standard Linux search tools (ls, grep, find, locate), compared to using a visualisation tool to identify the files. In a majority of cases presented study participants were consistently quicker at finding the required files whilst utilising the visualisation tool (Teelink&Erbacher, 2006).

With the acquisition of log data, comes the need for ways of interpreting this data in useful ways. One such method of data interpretation is visualisation. Visualisation entails using visual formats in order to effectively present information. Various visualisation techniques will be explored and presented within this section.

As visualisations methods are extremely varied, general uses of the shown visualisations are examined. Advantages and disadvantages of each type of visualisation are presented, along with a description of the style.

5

2.1.1 SCATTER PLOT GRAPHS

FIGURE 1 - EXAMPLE OF A PLOT GRAPH

A scatter plot graph has various points at which intervals of information are displayed. A line connects these points to help display a trend of data. The X axis generally contains time-related information while the Y axis is based on discrete numerical information.

ADVANTAGES:A plot graph is relatively easy to understand for any user of the graph. In the case of a set of event log data, it could be used to display login times or shutdown times. Suspicious or strange trends based on time frames could then be found and analysed further using a more in-depth plot graph, text, or another visualisation.

It is also simple to implement additional functionality in the form of UI features. These could include: Clicking on a particular dot in Figure 1 could show, in a separate area of the UI, specific information about each of the events, such as startups, occurring in that month. The ability to zoom in and out of data, depending on the users’ needs would also be useful. Different viewpoints allow for different views of data, giving the user an idea of the log owner’s computing habits.

DISADVANTAGES:A problem with scatter plot graphs is that they are not always useful or even possible with certain sets of data. Information such as specific details on a particular event cannot be displayed in a scatter plot format. Other information such as those with few records would also be better suited to a different visualisation.

6

2.1.2 TREE MAPS

FIGURE 2 - EXAMPLE OF A TREE MAP

Tree maps involve using nested rectangles in order to visualise information. Information such as the size and contents of a particular aspect of the data is visible. The level of detail displayed can be varied depending on the nature of the data set.

ADVANTAGES:The main advantage of tree maps is that they are extremely easy to read. This means it is also easy to quickly visualise large amounts of information. They can also be exported into image formats and printed off as they generally have no functional components, although this functionality can be added at any later point in time. The uses of a tree map in a digital forensic standpoint are similar to those of a plot graph. Larger boxes mean there are more of certain events, meaning a larger trend in that data which would be represented as a higher point on a plot graph. The main difference between a tree map and a scatter plot graph is that tree maps are not limited to time based data.

DISADVANTAGES:In order to choose a tree map over a scatter plot graph, in terms of usefulness, additional functionality should be added. Programming a tree map may be difficult as the range of data may affect the look of the tree map. Smaller data sets, such as times a system clock were changed, would also not be very useful when visualised in this format, similar to scatter plot graphs.

7

2.1.3 HEAT MAPS

FIGURE 3 - EXAMPLE OF A HEAT MAP

Heat maps are a method of visualisation that is able to show information that may not be noticeable or even visible in other forms of visualisations. Blue areas are those containing little information or amounts, approaching green, yellow, orange and then red in order of severity. This means trends can be noticed from orange or red areas, and blue areas can be ignored.

ADVANTAGES:

Once again, like many graphical visualisations, heat maps are designed to show trends in data. What is useful about heat maps is that, unlike tree maps and scatter plot graphs which show information in a very two dimensional way, heat maps can showcase information with multiple times at once. This can be useful for showing information such as weekly computer accesses or monthly trends where other forms of graphical visualisation cannot. As the information is not limited to one chronological direction, significantly more information can be displayed at a time.

DISADVANTAGES:

Once again, as with most forms of graphical visualisation, smaller sets of data are much less useful. A particular problem with heat maps is that even if there is a lot of data, if there is too much of a range between data sets, the resulting heat map will not be functionally useful. As such, it is only useful in specific circumstances.

8

2.1.4 BAR GRAPHS

FIGURE 4 - EXAMPLE OF A BAR GRAPH

Bar graphs are one of the simplest methods of visualising data. They are easily interpretable by any person and are easier to look at than pure textual visualisations.

ADVANTAGES:Bar graphs have the distinct advantage of being easily interpreted by almost anyone. They are easy to create and portable. A court scenario would be ideal for bar graphs. Differences between certain data sets, such as occurrences of an event per month could be displayed in descending or ascending order.

DISADVANTAGES:A major problem with bar graphs is that they are not very useful with a large portion of data, especially of that in relation to digital forensics. For the same visual space, many other visualisations can display a greater amount of information. As an example, scatter graphs give a better representation of time based information.

9

2.1.5 TIMETABLES

FIGURE 5 - EXAMPLE OF A HEATMAP BASED TIMETABLE

A timetable takes advantage of specific time-based information in order to give the user details. By adding colour based encoding and numbers, further information can be presented. Higher numbers could indicate trends in the data set.

ADVANTAGES:Timetables are used by almost everyone to plan their day to day lives. As such, a visualisation based on one would be instantly graspable to them. A timetable also offers the unique ability to combine visualisation styles. As in Figure 5, a heat map based colouring key has been added to a normal timetable. The result is a visualisation that contains a large amount of useful information in an easy to read format. Additional UI functionality can be easily incorporated due to the simplistic nature of the visualisation.

DISADVANTAGES:As with bar graphs, many types of data cannot be displayed in a timetable. This could include occurrences of events, and other non-time based information. Very long or very short time periods would be better visualised with a different method, such as scatter plot graphs. Heat maps are better suited to large periods of time and large amounts of events in these periods.

10

2.1.6 WHAT ARE THE PROBLEMS WITH CURRENT DIGITAL FORENSICS VISUALISATIONS?

Windows event logs are currently a much underutilised part of the Windows operating system. As such, there is quite little in the way of programs dedicated to analysing these logs. Several of these analysis programs are critiqued below.

WINDOWS EVENT VIEWER

Currently, the default windows event logging application shows all its information in a textual format. This makes it extremely tedious to find trends in data as well as being very user unfriendly. From a forensic standpoint, little of the default views it provides is useful. There is no list of chronological logins, for example. It is possible to narrow down and create your own views, but this requires knowing event codes for the specific event the user requires, of which there are hundreds.

There are no non-textual visualisations in order to present large amounts of information in a precise format. In order to find trends, a user must manually count the occurrences of each event.

In relation to the digital forensics process, the Windows Event Viewer gives the user the tools to identify digital evidence, although the user must manually read through the information presented in order to find the digital evidence they require. It also allows the user to preserve the data by facilitating for the copying of event logs. This incurs no alteration to the evidential data itself, thereby preserving it. Once again, the Windows Event Viewer can turn these binary and XML files into that of a more human-readable format via parsing. It is able to read files from other machines along with those of the current machines. What the Windows Event Viewer lacks, and what the main focus of our paper is on, is the presentation aspect of this digital evidence.

The bulk of the information given by the Windows Event Log viewer is aimed squarely at a technically minded user. Although further information can be produced and reported upon by an expert, such a program is of little use to an average computer user. As such, the Windows Event Viewer does not satisfy this step of the digital forensics process.

SECURE BYTES WINDOWS EVENT LOG ANALYSER

This event log analyser by Secure Bytes is a more user friendly version of the default Event Viewer application. The information it displays is also in a textual format, meaning yet again that trends and common events are difficult to locate. It does provide a nested box style of visualisation that helps to show which events occur on which day and which subcategory they are part of. This is where is more useful to a digital forensics investigator than the default Windows Event Viewer. This visualisation makes it easier for the user to narrow down on events that may be considered useful in their investigation. This still, though, does not accommodate for the average PC user.

LOG PARSER

Once again, this application outputs only text. Furthermore, in order to use this application, a strong knowledge of SQL is required along with knowledge of event codes. This makes this an

11

application aimed more towards advanced users and experts. User friendliness is extremely limited, although this also means the program is extremely flexible. Presentation and reporting of the data is once again unsatisfied.

ADVANCED EVENT VIEWER

This program is similar to the default windows event log viewer but it is more aimed at networks with servers. The information it gives is quite extensive, but once again, only text based.

The problem with these applications is that they do not provide specific information that is useful in a digital forensics standpoint. They mainly provide general information in a format that is difficult to efficiently find important data. All of these applications satisfy the first three processes in the digital forensics process of identifying the data, preserving the data and analysing the data. What they all fail upon is the presentation and therefore reporting of this information.

12

2.2 WINDOWS EVENT LOGS

A Windows event log entry is generated as one would expect; When a Windows event occurs. There is a truly impressive spectrum of possible events that could be generated, but to summarize some of the main categories:

Security Events Application Events Setup Events System Events

The primary purpose of these logs is to provide system administrators with as much information about their Windows machine, whether it is a large business server, or a single home desktop machine.

There are several very useful events that are required to be activated by the system administrator. These include the logging of file modifications, deletions, moving and accesses. As this is the case, depending on the circumstances, certain information may or may not be available to the viewer of the logs. A list of the events that we have found to be useful to a forensic investigator is included in the Appendix.

Following the rollout of The Microsoft Windows 2000 operating system, windows event logs were a default feature that was stored on the local machine in an EVT format. This logging format stored information that could assist with the debugging process if a windows machine ever had an application or system failure. The EVT format was superseded in 2007 by the EVTX format following the release of the Microsoft Windows Vista operating system. The new format performed in a similar way to the former with more included information for each log, more detailed descriptions and some new security access details (B. Charter, 2008).

2.2.1 DRAWBACKSWith the power to log almost every action on a Windows machine comes several drawbacks.

Since the windows event logging service runs on the machine that investigators wish to gather data on, this means users of the machine can falsify logs. The service can be easily stopped for any user with administrator privileges. This means there may be timeframes where no logs are collected and the log may be unable to reflect this.

Another problem with the Windows event logging system is that many useful features are disabled by default. These include logging of file access, deletion and of file moving. These features need to be explicitly enabled by the system administrator. This could be useful in, say, a company or university network where the administration owns and operates the computers on the campus or office.

Since Windows logs so many events, it can also mean the logs are bloated with excess unimportant information such as hardware interrupts, Windows updates, disk defragging, security audits, and others.

13

2.3 GAPS IN KNOWLEDGE

OVERVIEW

Current event log analysis applications do not seem to provide any form of graphical visualisation. Almost all of the output of these programs is in a textual format. This can be an unwieldy way to represent a large amount of information. More information about these current applications can be found in section 2.1.6.

Little has been done to address graphical representation of this data. Newer versions of Microsoft Windows include an application called the Reliability Monitor, which gives a very basic overview of a system’s health based on its Windows event logs. It uses a time table based approach with icons showing errors on certain days at certain times. This seems to be the most graphically based visualisation using the Windows event logs currently available. This application, though, has little use in a digital forensics point of view.

On the research side of things, more has been done to address the lack of event log visualisations, as compared to the currently available software. A. Makanju et al proposed a tree map style to visualise the events occurring within a network. A standard tree structure is then used to create the graphical tree representation based on events such as email login failures and connections. C. Simache et al use area charts and pie charts that are based on data collected by Windows NT and 2K event logs. These would use the older .evt format, as opposed to the current standard of .evtx, but the visualisations are still relevant to our project. The research here, though, was based on several machines, as opposed to our visualisations, which are based on a singular machine.

Another problem with current approaches to using the Windows event log data is that programs try to be very general in order to try to attract a greater audience. This in turns means users are expected to manually search for what data they consider is useful. There are little to no guide lines or suggested data to look for. Although this helps to keep the application powerful, for the average computer user, this also means the powerful features remain unused. An easy to use application that gives data relevant to digital forensics in a useful format is not currently available.

The focus of this project is to represent the event log information in useful ways by using both text and graphical visualisations. Therefore the gap we are focusing on is that of the practicality of these visualisations and the capabilities of the Windows event logs.

Another gap is that of ease of use of such a program, as current event log analysing programs are very hard to use for the average PC user. We will address issues regarding which information would be useful to the investigator, along with making the software package accessible to average PC users.

14

3. SOFTWARE PACKAGE

3.1 DESIGN PRINCIPLESThe design of the software tool was strong influenced by the priorities expressed by two forensic analysts during preliminary discussions that were conducted to determine expected functionality of the software tool.

In these discussions it was determined that amongst the forensic analysts there was currently little knowledge beyond the existence of the Windows Events Logging feature in Windows systems. Thus, it was deemed necessary that the software tool must be designed to present data in such a way to promote information and knowledge discovery from data extracted from the Windows Event Logs, which is the finding of occurrences of event types that the user had no prior knowledge of and being provided with the information necessary to understand what caused the event to occur.

To achieve the goal of promoting information and knowledge discovery, it was decided that a focus upon that the software tool should possess an interactive visualisation of the information from the Windows Event Logs. This is achieved by presenting the user with scatter plot graph that plots points based upon the number of events on a monthly scale, within a range that corresponds to the oldest recorded event in the log to the newest. This display of the complete set of events in on a scatter plot visualisation is called the main view [reference to figure]. Interaction with the visualisation is supported by allowing the user to mouse click on the points on the scatter plot which causes the tool to drill down to a visualisation of events on a scatter plot graph with a range corresponding to the one month that the user has selected through their mouse input and the scale as single days [reference to figure]. The month scatter plot graph can drill down further to a range of a single day by mouse clicking on a point in the month view [reference to figure].

Each view described has as a corresponding list that contains preliminary details of each event that when abstracted, form the information displayed in the current visualisation [reference to figure]. Individual events can be selected such that detailed information regarding the specific event is presented in a message box [reference to figure]. This information is pulled form a knowledge base accessible over through the internet at ultimatewindowssecurity.com. This feature streamlines what would likely be a common process where a user does not possess specific knowledge of an individual event and would likely seek this information from a knowledge base such as ultimatewindowssecurity.com.

As specific knowledge of particular events is not expected to be known, filters have been provided that can be used to extract subsets of events, which are likely to be of particular interest, from the total set of events. This allows the visualisation and analysis to be further focused upon the extracted subset of events. The set of pre-set filters is easily manually extended by a programmer as it is expected that users would like the set to expand with more event types that have been found to be useful through experience and discovery facilitated by the interactive visualisation. A custom filter option is provided such that the user can quickly apply a filter that has not been programmed in as a pre-set [reference to figure].

15

Beyond the main scatter plot visualisation presented within the views, additional non-interactive visualisations are presented through the tools reporting function. These additional visualisations are the bar graph and the bubble graph [reference to figure].

3.2 SYSTEM INFRASTRUCTUREThe system was developed in C Sharp using object-orientated programming principles and has a two-tier software architecture consisting of.

The data layer, which are event logs in the form of .evtx files.

The logic and presentation layer, which contains logic to process data fed from the data access layer such that it can be presented through the visualisations.

The data layer consists of the Windows event logs as stored in the proprietary .evtx file format. It was deemed appropriate solely focus upon the .evtx file format and not support the older .evt format, as the .evtx format will be the prevailing format through the foreseeable future and instances of the usage of the legacy .evt format will continue to become increasingly rare. A data access component of the software extracts data from .evtx log files by using the System.Diagnostics.Eventing.Reader software library provided by Microsoft.

The logic and presentation layer was developed utilising the Windows.Forms library which provides resources to implement the main scatter plot interactive visualisation present in the software tool’s views. This layer is fed data by calling methods made available by the data layer. Additional visualisations are implemented by building upon resources provided by the Microsoft.Reporting.Winforms library which provides the advantages of also including printing and zooming controls.

16

3.3 USER INTERFACE

FIGURE 6 - DEFAULT APPLICATION WINDOW

Upon the loading of an .evtx file, the application resembles Figure 6. Along the top of the application is the menu bar, as used in most Windows applications. It allows the user to quickly access options in a manner that does not obstruct the screen. Below the menu bar, to the left, is a table containing all of the events contained within the log. This allows experts to directly view the contents of the log in their raw format. Upon double clicking one of these events in the table, a report based on the event ID is generated and displayed.

17

FIGURE 7 - EVENT ID REPORT

Below the table of all the events is the monthly breakdown. Each row contains the total number of events in that month, along with any other event IDs that the user has specified. By either selecting a month row and double clicking on it or pressing the Show button, the user can view, in a new window, the contents of that month. The labels can also be turned off in order to better view the trend.

FIGURE 8 - MONTH VIEW

This is the window containing the information pertaining to the particular month that was selected. It contains another visualisation of the data, this time for data within only the month, and is split up by days. A further breakdown on the monthly data can be achieved by activating the checkboxes. This adds another line graph into the visualisation containing only those events with the chosen ID. By placing the mouse cursor over a red point in the graph, a tooltip appears that gives information such as the number of events on that particular day. Once again, a

18

complete list of the events occurring in the month is available for experts in the bottom left corner of the window. Above this, though, is the day selector. Double clicking any of these days in the month opens up the day view window.

FIGURE 9 - ACTIVATING A CHECKBOX IN THE MONTH VIEW

FIGURE 10 - DAY VIEW

The final window is the day view window. This contains information specific to a particular day and is classified by time. Yet again, checkboxes are available to narrow down on event IDs and to remove or enable the labels. The complete list of events occurring on the day is available in the bottom left and above this is a table form of the graph visualisation.

Going back to the default application view, the right hand side of this window is similar to that of the month and day view. One particular difference is the ability to select date ranges for the events. At the bottom of the default window is the loading bar. This gives users the ability to check on the progress of loading and reloading .evtx files. Above this is the status box, containing the path of the currently loaded file.

UI DECISIONS

19

All of the tables in the application are read-only; none of this data can be changed manually by the user. This gives the data integrity and means the visualisations are an accurate representation of the data contained within the event log file. This follows the digital forensics process of the preservation of digital evidence.

[I think we need more on why we chose certain user interface elements, as compared to directly describing the elements]

20

4. CONCLUSION AND FUTURE WORK

4.1 FUTURE WORKOur current software package includes several filters and filter configurations, but since the Windows event logs are so powerful, we were unable to include every event that could be of use to a digital forensics investigator. Because of this, a custom textbox was included to allow the user to manually enter an event ID for a particular event, and the system will generate visualisations based on that ID. One way to improve this feature in the future is to include certain presets based on criteria. This could be time based information, login based information or Internet connections. These would include the associated event IDs along with explanations.

Another possible extension to this project could be the ability to mix several event IDs into one visualisation. This could be, for example, a line graph with the Y axis being the total of logout and login events. This would be useful for determining how many times a system was used in a certain time frame.

Currently, the information contained in an Event ID report is generated by parsing an online website. This would mean an investigator’s machine would require Internet access in order to view these reports and understand the event IDs. This could mean compromising a system with important and sensitive information to the Internet. As such a further improvement would be to design an offline database containing this information. This means access to this information would be faster and secure as well as making the application much more portable. Another reason this would be useful is there are so many event IDs that no single event ID website on the Internet contains information for every single event ID. If this system were moved offline, a user could define event IDs that were yet to be in the system.

The application currently does not include all the visualisations outlined in this document. This means some angles of the data may not be addressed. A possible future work is to include further visualisations, including those not covered in this document. The current visualisations in the application are also very static. An improvement to this would be the ability to interact with these graphs. For example, with a normal scatter plot line graph, a user could use their mouse wheel to zoom in and out on the data. The visualisation would change to reflect this, providing either a bird’s eye view or close-up version of the information. This could be useful, for example, in viewing why a particular event’s occurrence was so high in a certain year. By zooming in, the user could quickly see which month, then day, that the event or events occurred on.

4.2 CONCLUSIONThe information available from Windows events logs is very powerful and useful. The problem, however, is that there are very few programs designed with manipulating these event logs in a digital forensics viewpoint. This is where our software package fits in. It provides detailed visualisations that are useful in determining trends and peculiarities in information. It addresses the need for such a program to be user friendly in order to cater for all types of users.

21

APPENDIX A

EVENT IDS

Event Subcategory Event ID Event DescriptionLogon 4624 Gives exact time when a user logs on, along with the login

methods. This includes normal, remote desktop, etc.Logon 4625 Gives the exact time when an incorrect password is entered

into a Windows machine. Does not seem to log if incorrect attempts are made at a lock screen.

None 903, 904 An application was installed.None 907, 908 An application was uninstalled.None 10000,

10001Gives wireless information.

AcmConnection 8000 Connecting to wireless connectionAcmConnection 8001 Successfully connected to wireless networkAcmConnection 8002 Failed to connect to wireless network

None 300 Is triggered when a user closes a Microsoft Office application they have modified but have yet to save. Also triggers for other Microsoft Office based alerts. Includes file name of the document.

Boot Performance Monitoring

100 Windows has booted up. Also gives duration and time of boot time.

Shutdown Performance Monitoring

200 Windows has shut down, gives duration and time of shutdown.

DISABLED BY DEFAULT

Event Subcategory Event ID Event DescriptionFile System 4663 A file was accessed. Gives file name, time of access and user

who accessed it.File System 4660 A file was deleted. Gives the same information as above.File Share 5140 A file was shared on a network.

22

REFERENCESB. Charter, 2008 EVTX and Windows Event Logging. White paper, SANS Institute InfoSec Reading Room, accessed online http://www.sans.org/readingroom/whitepapers/logging/evtx-windows-event-logging 32949 (28-08-2012).

C. Adams, 2006, Log Parser: The coolest tool Microsoft has ever Released! viewed 8 October 2012, <http://blogs.iis.net/chrisad/archive/2006/07/13/Chris.aspx>.

Krasser, S., Conti, G., Grizzard, J., Gribschaw, J., Owen, H., 2005, Real-time and forensic network data analysis using animated and coordinated visualization, Information Assurance Workshop, 2005.IAW ’05. Proceedings from the Sixth Annual IEEE SMC, 42–49

RH Computing, Advanced Event Viewer viewed 11 October 2012, <http://www.advancedeventviewer.com/>

Schuster, A. (2007). Introducing the Microsoft Vista event log file format. Digital Investigation, 4(1), 65-72.

Secure Bytes Inc., Windows Event Log Analyzer viewed 11 October 2012, <http://www.secure-bytes.com/Windows_Event_Log_Analyzer.php>

Teelink, S., Erbacher, R. F., 2006.Improving the computer forensic analysis process through visualization. Communications of the ACM 49 (2), 71–75

A. Makanju, S. Brooks, N. Zincir-Heywood, and E. E. Milios, “Logview: Visualizing Event Log Clusters,” in Proceedings of Sixth Annual Conference on Privacy, Security and Trust (PST), October 2008, pp. 99 –108.

C. Simache, M. Kaaˆniche, and A. Saidane, “Event Log Based Dependability Analysis of Windows NT and 2K Systems,” Pacific Rim Int’l Symp. Dependable Computing (PRDC ’02), 2002

23