Analytical Study on Forensic Relevance of Windows Event Logs

Abstract

Event logs are crucial records automatically maintained by computer systems to track activities and operations. They serve as a key source of information for system administrators and forensic investigators to monitor, audit, and analyse both normal and suspicious activities. This research study explores the forensic relevance of Windows event logs. It further discusses the tools and techniques employed for log analysis, recovery, and centralization, emphasizing their role in enhancing organizational cybersecurity and forensic readiness.

Introduction

Event logs are automatically generated records of system, application, and security activities crucial for system monitoring, cybersecurity, and digital forensics. Logs contain key details like timestamps, event IDs, user actions, and are used for:

• Detecting unauthorized access

• Tracing system/user behavior

• Incident response and forensic analysis

• Supporting compliance and audits

Tools such as Splunk, IBM QRadar, and FTK Imager help collect, analyze, and recover event logs, especially in Windows environments via the Event Viewer.

2. Related Works

Past research emphasizes:

• Logs help detect system anomalies and insider threats

• Security logs reveal failed login attempts, policy violations

• System logs are valuable for predicting failures

• Setup logs assist in OS upgrade failure analysis

• Forwarded logs centralize data, enhancing enterprise visibility
  There remains a gap in recovering deleted logs, especially setup logs, motivating deeper forensic investigation.

3. Methodology and Log Types

A. Application Logs

• Record internal application activities: errors, crashes, user inputs, and performance metrics.

• Key Tools:

  • Splunk, ELK Stack, Graylog (real-time monitoring)

  • FTK Imager, Autopsy, Recuva (forensic recovery)

• Log Deletion & Recovery: Often removed by policy or attackers. Tools or system backups (like Shadow Copy) are used for recovery.

• Prevention: Enforce permissions, centralized logging, use WORM storage, and backup logs regularly.

B. Security Logs

• Capture authentication, privilege use, access attempts

• Used for incident timelines, digital evidence, and compliance

• Key Tools: Splunk, IBM QRadar, LogRhythm, Auditd

• Recovery Methods:

  • Shadow Copy, SIEM platforms

  • Forensic imaging tools for deleted logs

• Prevention: Secure file permissions, log forwarding, cryptographic hashing

C. Setup Logs

• Track Windows installation/upgrade processes

• Real-World Case: Windows 10 → 11 upgrade failures analyzed via setupact.log and setuperr.log

• Diagnostic Tools:

  • SetupDiag (auto analysis)

  • DISM, SFC, Log Parser Studio

• Challenges: Automatic deletion, disk cleanup, retries may overwrite logs

• Forensic Role: Detect corruption, rollback conditions, incompatible drivers

D. System Logs

• Track hardware, drivers, service behavior

• Crucial for troubleshooting, stability, and forensics

• Help identify malware, unauthorized changes, system tampering

• Threats:

  • Log tampering, flooding, disabling log services

  • False entries by attackers

• Detection of Tampering:

  • Look for timestamp gaps, Event ID 104 (log cleared), unusual file sizes

• Tools:

  • Event Viewer, SolarWinds, Log Parser Studio, Splunk, ELK

• Prevention:

  • Audit policies, backups, FIM (File Integrity Monitoring), centralized logging

E. Forwarded Event Logs

• Used to centralize logs from multiple endpoints for easier monitoring

• How it Works: Logs are forwarded from source machines to a central collector (via WEF/WEC)

• Tools:

  • Event Viewer, PowerShell, Wevtutil, ManageEngine

• Benefits: Scalability, improved threat detection, efficient troubleshooting

• Drawbacks:

  • Complex setup, misconfiguration risks

• Log Deletion Concerns: Deletion indicates potential tampering or insider threat

• Recovery: Use forensic tools or retrieve from SIEMs or backups

• Prevention:

  • Restrict admin access, use immutable storage (WORM), enable audit trails

Conclusion

Event logs represent a critical component in digital forensic investigations and cybersecurity operations. In this study, five primary categories of Windows event logs—Application, Security, System, Setup, and Forwarded Event Logs—were examined for their roles in system monitoring, threat detection, and forensic analysis. Each log type was found to provide distinct insights into user behaviour, system processes, and application performance, thereby supporting incident reconstruction and audit compliance. The methodologies employed involved the use of industry-standard tools, including Splunk, FTK Imager, SetupDiag, and Event Viewer, to collect, analyse, and interpret log data. Techniques for detecting log tampering, recovering deleted logs, and preventing unauthorized access were also implemented. It was observed that centralized log collection and the integration of Security Information and Event Management (SIEM) systems significantly enhanced forensic readiness and data integrity. It is concluded that the implementation of secure logging practices, coupled with reliable recovery mechanisms, is essential for maintaining the evidentiary value of event logs. Future research may focus on the adoption of machine learning algorithms for automated anomaly detection and the deployment of tamper-evident or immutable logging architectures to further strengthen cyber defence and forensic capabilities.

References

[1] Y. Gao, H. Kim, and R. Buyya, “Anomaly detection using system logs: A survey,” IEEE Transactions on Services Computing, vol. 14, no. 1, pp. 1–19, Jan.–Feb. 2021, doi: 10.1109/TSC.2019.2905587. [2] H. Duan, Y. Zhang, and X. Li, “Security event log analysis using deep learning,” IEEE Access, vol. 8,pp.120885–120895,2020,doi: 10.1109/ACCESS.2020.3005798. [3] A. Khatuya and B. Mishra, “Application log analysis for anomaly detection in microservices architecture,” in Proc. IEEE Int. Conf. on Big Data (BigData), Atlanta, GA, USA, 2020,pp.2697–2704,doi: 10.1109/BigData50022.2020.9378371. [4] J. Stearley and A. Oliner, “Bad words: Finding faults in spirit’s syslogs,” in Proc. IEEE Int. Conf. on Dependable Systems and Networks(DSN), Edinburgh,U.K.,2007,pp.218–227doi: 10.1109/DSN.2007.56. [5] R. Ahmed and V. Das, “A forensic approach to analysing Windows setup logs,” International Journal of Cyber Forensics, vol. 5, no. 3, pp. 45–58, 2022. [6] N. Tanaka, M. Harwood, and T. Erickson, “Forwarded event logs for distributed monitoring and forensics,” in Proc. IEEE Int. Conf. on Cloud Engineering (IC2E), Orlando, FL, USA, 2018, pp. 190–197, doi: 10.1109/IC2E.2018.00041. [7] D. Becker and L. Wang, “System log mining for early failure prediction,” in Proc. IEEE Int. Conf. on Cloud Computing, San Francisco, CA, USA, 2020, pp.55–62, doi: 10.1109/CLOUD49709.2020.00016. [8] R. McMillen, “Investigating Windows 10 setup logs using SetupDiag,” in Proc. 13th Int. Conf. on Digital Forensics & Cyber Crime (ICDF2C), 2021. [9] S. Rao and H. Kim, “Insider threat detection using security event logs and behavioral analytics,” IEEE Access, vol. 9, pp. 144232–144245, 2021, doi: 10.1109/ACCESS.2021.3120846. [10] N. Hubballi and V. Suryanarayanan, “False alarm minimization techniques in signature-based intrusion detection systems: A survey,” Computer Communications, vol. 49, pp. 1–17, 2014, doi: 10.1016/j.comcom.2014.04.008.

Copyright

Copyright © 2025 Dr. Priya P. Sajan, Archa Rajesh R., Jenani S., Milina S. S., Vaishnavi Devi R., Vishnu Prabha P.. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.