When you are analyzing a system you might want to document when the system was powered on. One of the best ways to do this is to analyze the windows event log. However, this can be time-consuming. Luckily there is an easy way to do this.
We will be using one of the tools from my list of free investigation tools named TurnedOnTimesView created by Nir Sofer. When you start the tool it will show you a list of timestamps when the system was turned on and off. But showing the timestamps from our own system won’t do much for forensic analysis.
Acquiring the required file from the evidence
First, we need to acquire the system event log. This file is named system.evt (Windows 2000/2003 and XP) or system.evtx (Windows 2008 / Vista and up). Open the image using your preferred tool (i use FTK Imager) and browse to the following location:
Windows 2000, 2003 and XP
[root]\Windows\System32\Config\SysEvent.Evt |
Windows 2008, Vista and up
[root]\Windows\system32\winevt\logs\system.evtx |
Export the file to a directory only containing this event log.
Once the file has been exported you can close the image browser (e.g. FTK Imager).
TurnedOnTimesView
Download the free tool TurnedOnTimesView here: http://www.nirsoft.net/utils/computer_turned_on_times.html.
Once downloaded extract the files and run the program (no installation necessary). Once it has started it will display a timeline of all the times your system has been powered on or off. For every period of time that the computer was turned on, the following information is displayed:
- Startup Time
- Shutdown Time
- Duration
- Shutdown Reason
- Shutdown Type
- Shutdown Process
- Shutdown Code
To load our exported event log, select options and choose “Advanced options” (or press F9). In the window that opens up select the following:
- Data Source: External Disk
- Event Log folder on external disk: Select the folder where you exported the system event log.
On systems running Windows 8 and above make sure to select “Consider the sleep/resume events as turn off/on” since these versions of Microsoft Windows actually put the computer in a modified sleep mode when you shut them down.
When you select OK the event will be processed and TurnedOnTimesView will display the timeline.
Using the View menu you are able to export a list of all or selected items in HTML format. I find that the best way is to select all items (CTRL+A) and copy them to your clipboard (CTRL+C) and pasting them into excel.
This way you are able to easily filter out certain time ranges and format the timeline in a way that better fits your reporting style.
Please note the following:
TurnedOnTimesView is based on a set of event types to detect when the system was turned off and on. While this does work extremely well in my experience, it is possible it misses some event types, mainly on newer releases of Microsoft Windows. Like with all tools in forensics, you need to verify your findings and never base your conclusion on a single piece of evidence. If the system has been powered off improperly (e.g. someone pulled the plug) the tool won’t be able to detect a shutdown time and will display a red icon next to the item.
Of course, if someone cleared the event log, TurnedOnTimesView will not be able to detect the shutdown/startup times.