Windows EVTX Log Format

About four years ago I added Windows' EVTX audit log analysis to my Audit Monitoring Framework (AMF) code base. AMF is the foundation library to a number of my software tools, including Audit Explorer, Data Fence, and Audit Viewer.

Unfortunately, at the time there seemed to be very little detailed information about using Windows auditing (configuring auditing and analyzing the data) and virtually nothing about the underlying binary data format of the log files in case you wanted to write your own tools. That led to a large number of experiments and reverse engineering of the data. The results of that work was two documents:

Windows 7 Auditing: An Introduction

Windows 7’s auditing system can provide a rich source of information to detect and analyze a wide range of threats against computer systems. Unfortunately few people know this auditing system exists much less how to turn it on and configure it. This paper provides step-by-step instructions to configure a simple audit policy useful for understanding how data was exfiltrated from the computer.

Windows 7 Security Event Log Format

Windows security event log provides a rich source of information to detect and analyze a wide range of threats against computer systems. Unfortunately Windows' tool to view these logs, Event Viewer, is extremely limited in its functionality. Furthermore, there are very few third-party analysis tools to fill the gap between what the Event Viewer provides and the potential information that can be leveraged from the security event logs. One potential reason for this gap is that the format of these event logs is poorly documented making it very difficult for third-party developers to write tools to analyze the data. This paper documents the event log format, thus providing a blueprint for developers to create native tools to analyze Windows 7 event logs. We begin by providing an overview of the format and key concepts that are needed to understand the details. Then we dive into a detailed description of the syntax of the event log format.

I added the Windows 7 EVTX parsing and analysis capability into AMF, and built a number of internal tools to analyze Windows 7 audit data. I posted a write up and screenshots of an internal version of Audit Explorer analyzing the data: Analyzing Windows EVTX Logs. I also posted a video showing additional analysis tools using data flow analysis to track insiders collaborating to exfiltrate classified information (this was in 2010, well before Edward Snowden): Windows 7 Audit Trails: Exfiltration of the Swift (reproduced below).

I tried to get the government to fund additional R&D on this, but they were never interested. Maybe they didn't think insiders were a problem (cough, cough). Still, the latest version of Data Fence and Audit Viewer have the Windows audit analysis code embedded in the executables. It just isn't exposed. If there is enough interest (ping me on twitter), I'll expose the Windows analysis code.