Sabtu, 29 September 2012

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post.

I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure.

However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event.

The reason this caught my attention was that it reminded me of the Best Single Day Class Ever, taught by Edward Tufte. I attended his class in 2008 and continue to recommend it.

I've since blogged about Tufte on several occasions.

Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons program. To show that, he literally drew a red line on a diagram representing Iranian progress on uranium enrichment.

Now, there's some confusion about what that red line really means. The point is that people are talking about the red line, and that means Netanyahu at least partially achieved his goal.

This is the take-away for those of us who speak in public: rather than develop Yet Another PowerPoint presentation, determine 1) what message you want your audience to remember, and then 2) figure out how you can escape from flat land to grab your audience's attention.

If you want to learn more about these techniques, take Tufte's course!

You can read a transcript of the speech as well as see the video. Besides the red line segment, I thought it was a powerful speech. I'm convinced that unless Iran changes course, Israel will disable Iran's uranium enrichment capability.

Jumat, 28 September 2012

Celebrate Packt Publishing's 1000th Title

I'm pleased to announce a special event involving Packt Publishing. The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members.

I'm interested in two recent titles:

Metasploit Penetration Testing Cookbook by Abhinav Singh

Advanced Penetration Testing for Highly-Secured Environments by Lee Allen

In a few months a third book will arrive:

BackTrack 5 Cookbook

At this point I don't have personal experience with any of these titles, but I plan to take a look.

Thank you Packt for sharing part of your library with us!

Rabu, 26 September 2012

Top Ten Ways to Stir the Cyber Pot

I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them.

If you want to start a debate/argument/flamewar in security, pick any of the following.

  1. "Full disclosure" vs "responsible disclosure" vs whatever else
  2. Threat intelligence sharing
  3. Value of security certifications
  4. Exploit sales
  5. Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT
  6. Reality of "cyberwar"
  7. "Builders vs Breakers"
  8. "Security is an engineering problem," i.e., "building a new Internet is the answer."
  9. "Return on security investment"
  10. Security by mandate or legislation or regulation

Did I miss any subjects people raise to "stir the cyber pot?"

Selasa, 25 September 2012

Unrealistic "Security Advice"

I just read a blog post (no need to direct traffic there with a link) that included the following content:

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

This author is well-meaning, but he completely misses the bigger picture.

Against a sufficiently motivated and equipped adversary, no device is impenetrable.

Mobile devices are simply the latest platform to be vulnerable. There is no reason to think your corporate laptop is going to survive any better than your iPhone.

Now, I believe that non-mobile devices enjoy some protections that make them more defensible compared to mobile devices. Servers and workstations are generally "wrapped" with multiple defensive layers. Laptops benefit from those layers when connected to a corporate network, but may lose them when mobile. Still, even with those layers, intruders routinely penetrate networks and accomplish their missions.

One might also argue that mobile devices are more likely to be lost or stolen. I agree with that. However, full device encryption and passcodes can mitigate those risks. That's not the same as "zero-day vulnerabilities and clever exploitation techniques" however.

Despite these limitations, we still conduct work on computing devices. If we didn't, what would be the point?

We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.

Software developers and security engineers should of course continue to devise better protection and resistance mechanisms, but we must remember we face an intelligent adversary who will figure out how to defeat those countermeasures.

Minggu, 23 September 2012

To Be Hacked or Not To Be Hacked?

People often ask me how to tell if they might be victims of state-serving adversaries. As I've written before, I don't advocate the position that "everyone is hacked." How then can an organization make informed decisions about their risk profile?

A unique aspect of Chinese targeted threat operations is their tendency to telegraph their intentions. They frequently publish the industry types they intend to target, so it pays to read these announcements.

Adam Segal Tweeted a link to a Xinhua story titled China aims to become world technological power by 2049. The following excerpts caught my attention:

China aims to become a world technological power by 2049 and strives to be a leading nation in innovation and scientific development, according to a government document released on Sunday.

The document, released by the Communist Party of China Central Committee and the State Council, or the Cabinet, namely opinions on "deepening technological system reform and accelerating national innovation system construction," sets the goal for the country to be "in the ranks of innovative nations" by 2020...

In this intro we read two key dates: 2020 for "in the ranks of innovative nations" and 2049 for a "world technological power." As we've seen during the last 10-12 years, one of the ways China pursues these goals is to steal intellectual property from target industries. What are those industries?

The development of strategic emerging industries, such as energy preservation and environmental protection, new-generation information technology, biology, advanced equipment manufacturing, new energy and material as well as green vehicles, should be accelerated, it said.

Major breakthroughs of key technologies should be materialized in sectors including electronic information, energy and environment protection, biological medicine and advanced manufacturing, it said.

Those industries have already been targeted and compromised by Chinese intruders. If you work in these areas but aren't actively seeking to detect and respond to Chinese intruders in your enterprise, I recommend taking a closer look at who is using your network.

Later in the document I was somewhat surprised to read the following:

And technological innovation should be made in industries that were related to people's livelihoods, such as health, food and drug safety, and disaster relief, the document said.

The underlined industries explain some activity I've seen recently, and it may be a warning for those of you in those sectors.

The last part of the document I would like to mention says the following: It called for an enhanced system to integrate the technologies for military use and those for civilian purposes.

The document said the nation's technological plan would be more open to the outside world in terms of cooperation, and international academic institutions and multinational companies would be encouraged to set up R&D centers.

None of that is new, but it shows the Chinese commitment to applying "dual use" technologies to both sides of that equation. It also shows the Chinese think they can still fool Western companies into sending engineers to China, where stealing IP is as easy as setting foot in an office building. Unfortunately plenty of Western companies appear to be falling for this ploy.

Rabu, 19 September 2012

Understanding Responsible Disclosure of Threat Intelligence

Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a "dead drop," a clandestine method to exchange messages.

You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items to the place you found them.

Returning home you eagerly examine your photographs. Because you're clever you eventually decode the messages captured in your pictures. Apparently a foreign intelligence service (FIS) is using the dead drop to communicate with spies in your area! You're able to determine the identities of several Americans working for the FIS, as well as the identities of their FIS handlers. You can't believe it. What should you do?

You decide to take this information to the world via your blog. You found the messages on your own, and you did the work to understand what they mean. If the press reads about your discovery, they'll likely take it farther.

You consider going to the press first, but you decide that it won't hurt to drive traffic to your own blog first. You might even be able to launch that small private investigator practice you've always wanted!

After publishing your post, the press indeed notices, and publishes an expose featuring an interview with you. Several US intelligence agencies also notice. They had been monitoring the dead drop themselves for a year, and had been working a complex joint case against all of the parties you identified. Now all of that work is ruined.

Before the intelligence agencies can react to your disclosure, the targets of their investigation disappear. They will likely be replaced by other agents quickly enough, using other modes of communication unknown to the US agencies. The FIS will alter their operation to account for the disclosure, but it will continue in some form.

That is the problem with irresponsible disclosure. To apply the situation to the digital security world, make the following changes.

  • Substitute "command and control server" for "dead drop."
  • Substitute "tools, exploits, and other digital artifacts" for "messages."
  • When the adversary learns of the disclosure, they move to other C2 infrastructure and develop or adopt new tools, tactics, and procedures (TTPs).

What should the hypothetical "security researcher" have done in this case?

It's fairly obvious he should have approached the FBI himself. They would have realized that he had stumbled upon an active investigation, and counseled him to stay quiet for the sake of national security.

What should "security researchers" in the digital world do?

This has been an active topic in a private mailing list in which I participate. We've been frustrated by what many of us consider to be "irresponsible disclosures." We agree that sharing threat intelligence is valuable, but we prefer to keep the information within channels among peers trusted to not alert the adversary to our knowledge of intruder TTPs.

Granted, this is a difficult line to walk, as I Tweeted yesterday:

Responsible security intel teams walk a fine line between sharing for the benefit of peers and risking disclosure to the detriment of all.

The best I can say at this point is to keep this story in mind the next time you stumble upon a package in the woods. The adversary is watching.

Selasa, 18 September 2012

Over Time, Intruders Improvise, Adapt, Overcome

From TaoSecurity
Today I read a well-meaning question on a mailing list asking for help with the following statement:

"Unpatched systems represent the number one method of system compromise."

This is a common statement and I'm sure many of you can find various reports that claim to corroborate this sentiment.

I'm not going to argue that point. Why am I still aggravated by this statement then? This sentiment reflects static thinking. It ignores activity over time.

For both opportunistic and targeted threats, when exploiting unpatched vulnerabilities no longer works, over time they will escalate to attacks that do work.

I recognize that if you have to start your security program somewhere, addressing vulnerabilities is a good idea. I get that as a Chief Security Officer.

However, the tendency for far too many involved with security, from the CTO or CIO perspective, is to then conclude that "patched = secure."

At best, patching reduces a certain amount of noise because it deflects opportunistic attacks that work against weaker peers. Should patching become more widespread, opportunistic attackers adopt 0-days. We've been seeing that in spades over the last few months, even without widespread adoption of patches.

In the case of targeted attacks, patching drives intruders to try other means of exploitation. I've seen this first hand, with intruders adopting 0-days as a matter of course or trying other attack vectors. Targeted intruders learn not to trip traditional defenses while failing to exploit well-known vulnerabilities.

If someone asks you if "unpatched systems represent the number one method of system compromise," please keep this post in mind. Remember we face an intelligent adversary who, over time, acts to improvise, adapt and overcome.

We must do the same, over time.

Senin, 17 September 2012

Does Anything Really "End" In Digital Security?

Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit. He said in part:

15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end.

Now, I'm not a programmer, and I don't play one at Mandiant. However, Adam's last sentence in the excerpt caught my attention. My observation over the period that Aleph One's historic paper was written is this: we don't seem to "solve" any security problems. Accordingly, no "era" seems to end!

Is this true? To get a slight insight into whether my sense of history is correct, I consulted the Open Source Vulnerability Database and ran queries like the following:

Query for all vulnerabilities of attack type "input manipulation," with "buffer overflow" in the text, from time 1 Aug 96 to 1 Aug 97

I chose to run these "August" periods to capture time as it passed since Aleph One's paper was published in August 1996.

The results were:


Year Vulns
1997 11
1998 10
1999 6
2000 48
2001 41
2002 43
2003 94
2004 127
2005 86
2006 27
2007 29
2008 39
2009 36
2010 48
2011 44
2012 45
As a chart, they looked like this:

I find these results interesting, and I accept I could have run the query wrong by selecting the wrong terms. If I managed to get in the ballpark of the correct query, though, it seems we are not eliminating buffer overflows as a vulnerability.

I suppose one could argue about where researchers are finding the vulnerabilities, but they're still there in software worth reporting to OSVDB, and apparently trending upward.

My bottom line is to remember that security appears to be a game of and, not a game of or. We just add problems, and tend not to substitute them.

Selasa, 11 September 2012

Less Thrashing; Better Queries (Part V)


# Using [System.Diagnostics.EventLog] for Powershell 3.0 Beta
# Code
 #Creating $a specific to the 'GetEventLogs()' 
 # method for [System.Diagnostics.EventLog]
 $a=[System.Diagnostics.EventLog]::GetEventLogs()
 $a | gm -s
 # List the event logs
 $a

 # Creating $a as generic to the .NET class; Querying active
 # Eventlog for a local(or remote?)computer name:
 $a=[System.Diagnostics.EventLog]
 $a::GetEventLogs("rmfvpc")
 $a::GetEventLogs("rmfvpc") | gm -s

 # Creating $B as the result of mahine specific
 #'GetEventLogs()' query
 $b=$a::GetEventLogs("rmfvpc")
 $b | gm -s
 $b | gm -f

 # Using $B to get a specific method for a specific log (e.g. 
 # Array[10]) for specific configuration method (e.g. 
 # 'get_OverflowAction()')
 $b[10]
 $b[10].get_OverflowAction()

 # This retrieves all Entries before returning the first index.

 $b[0].get_Entries()[0]
 $b[0].get_Entries()[0] | gm -f

 #Returns select entries and then select EventIDs for such.

 $b[0].get_Entries()[100..110]
 $b[0].get_Entries()[100..110]
 $b[0].get_Entries()[100..110].get_EventID()

 # Number of Events Logs; Number of total events for a 

 # specific Event Log.
 $b[0].count
 $b[0].Entries.count

 # Returns First and Last Events
 $b[0].get_Entries()[0,30324]
 $b[0].get_Entries()[0,30324] | gm -s
 $b[0].get_Entries()[0,30324] | gm

 # Creates a DateTime variable;Returns number of days 
 # between first and last events
 ($b[0].get_Entries()[0,30324]).TimeGenerated
 $TG=($b[0].get_Entries()[0,30324]).TimeGenerated
 $TG  | gm -s
 $TG[1]-$TG[0]
 ($TG[1]-$TG[0]).Days

 # Returns select sorted information

 $d=($b[0].get_Entries())| Select EventID,Message
 $d.count
 $d[0..10] | ft -auto -wrap
 $d | group -property EventID -noelement | sort -desc -property Count
 $e= ($d | group -property Message -noelement | sort -desc -property Count)
 $e.count
 $e[0..10] | ft -auto -wrap



# Results
PS C:\>  $a=[System.Diagnostics.EventLog]::GetEventLogs()
PS C:\>  $a | gm -s


   TypeName: System.Diagnostics.EventLog

Name                  MemberType Definition
----                  ---------- ----------
CreateEventSource     Method     static void CreateEventSource(string source, string logName), static void CreateEventSource(string source, string logName, string m...
Delete                Method     static void Delete(string logName), static void Delete(string logName, string machineName)
DeleteEventSource     Method     static void DeleteEventSource(string source), static void DeleteEventSource(string source, string machineName)
Equals                Method     static bool Equals(System.Object objA, System.Object objB)
Exists                Method     static bool Exists(string logName), static bool Exists(string logName, string machineName)
GetEventLogs          Method     static System.Diagnostics.EventLog[] GetEventLogs(), static System.Diagnostics.EventLog[] GetEventLogs(string machineName)
LogNameFromSourceName Method     static string LogNameFromSourceName(string source, string machineName)
ReferenceEquals       Method     static bool ReferenceEquals(System.Object objA, System.Object objB)
SourceExists          Method     static bool SourceExists(string source), static bool SourceExists(string source, string machineName)
WriteEntry            Method     static void WriteEntry(string source, string message), static void WriteEntry(string source, string message, System.Diagnostics.Eve...
WriteEvent            Method     static void WriteEvent(string source, System.Diagnostics.EventInstance instance, Params System.Object[] values), static void WriteE...
Site                  Property   System.ComponentModel.ISite Site {get;set;}


PS C:\>  $a

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded      30,331 Application
     512      7 OverwriteOlder             68 EstablishedTCPConnections
     512      7 OverwriteOlder             22 gwmi_diff
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
   8,192      0 OverwriteAsNeeded         278 Media Center
     512      7 OverwriteOlder          2,184 OasisLog
  16,384      0 OverwriteAsNeeded           0 ODiag
  16,384      0 OverwriteAsNeeded          37 OSession
 600,576     -1 DoNotOverwrite      1,018,834 Security
  25,600      0 OverwriteAsNeeded           1 SmartWi
  20,480      0 OverwriteAsNeeded      34,862 System
  15,360      0 OverwriteAsNeeded      18,289 Windows PowerShell


PS C:\>  $a=[System.Diagnostics.EventLog]
PS C:\>  $a::GetEventLogs("rmfvpc")

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded      30,331 Application
     512      7 OverwriteOlder             68 EstablishedTCPConnections
     512      7 OverwriteOlder             22 gwmi_diff
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
   8,192      0 OverwriteAsNeeded         278 Media Center
     512      7 OverwriteOlder          2,184 OasisLog
  16,384      0 OverwriteAsNeeded           0 ODiag
  16,384      0 OverwriteAsNeeded          37 OSession
 600,576     -1 DoNotOverwrite      1,018,834 Security
  25,600      0 OverwriteAsNeeded           1 SmartWi
  20,480      0 OverwriteAsNeeded      34,862 System
  15,360      0 OverwriteAsNeeded      18,289 Windows PowerShell


PS C:\>  $a::GetEventLogs("rmfvpc") | gm -s


   TypeName: System.Diagnostics.EventLog

Name                  MemberType Definition
----                  ---------- ----------
CreateEventSource     Method     static void CreateEventSource(string source, string logName), static void CreateEventSource(string source, string logName, string m...
Delete                Method     static void Delete(string logName), static void Delete(string logName, string machineName)
DeleteEventSource     Method     static void DeleteEventSource(string source), static void DeleteEventSource(string source, string machineName)
Equals                Method     static bool Equals(System.Object objA, System.Object objB)
Exists                Method     static bool Exists(string logName), static bool Exists(string logName, string machineName)
GetEventLogs          Method     static System.Diagnostics.EventLog[] GetEventLogs(), static System.Diagnostics.EventLog[] GetEventLogs(string machineName)
LogNameFromSourceName Method     static string LogNameFromSourceName(string source, string machineName)
ReferenceEquals       Method     static bool ReferenceEquals(System.Object objA, System.Object objB)
SourceExists          Method     static bool SourceExists(string source), static bool SourceExists(string source, string machineName)
WriteEntry            Method     static void WriteEntry(string source, string message), static void WriteEntry(string source, string message, System.Diagnostics.Eve...
WriteEvent            Method     static void WriteEvent(string source, System.Diagnostics.EventInstance instance, Params System.Object[] values), static void WriteE...
Site                  Property   System.ComponentModel.ISite Site {get;set;}


PS C:\>  $b=$a::GetEventLogs("rmfvpc")
PS C:\>  $b | gm -f


   TypeName: System.Diagnostics.EventLog

Name                      MemberType   Definition
----                      ----------   ----------
pstypenames               CodeProperty System.Collections.ObjectModel.Collection`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c...
Disposed                  Event        System.EventHandler Disposed(System.Object, System.EventArgs)
EntryWritten              Event        System.Diagnostics.EntryWrittenEventHandler EntryWritten(System.Object, System.Diagnostics.EntryWrittenEventArgs)
psadapted                 MemberSet    psadapted {Entries, LogDisplayName, Log, MachineName, MaximumKilobytes, OverflowAction, MinimumRetentionDays, EnableRaisingEv...
psbase                    MemberSet    psbase {Entries, LogDisplayName, Log, MachineName, MaximumKilobytes, OverflowAction, MinimumRetentionDays, EnableRaisingEvent...
psextended                MemberSet    psextended {}
psobject                  MemberSet    psobject {Members, Properties, Methods, ImmediateBaseObject, BaseObject, TypeNames, get_Members, get_Properties, get_Methods,...
add_Disposed              Method       void add_Disposed(System.EventHandler value), void IComponent.add_Disposed(System.EventHandler value)
add_EntryWritten          Method       void add_EntryWritten(System.Diagnostics.EntryWrittenEventHandler value)
BeginInit                 Method       void BeginInit(), void ISupportInitialize.BeginInit()
Clear                     Method       void Clear()
Close                     Method       void Close()
CreateObjRef              Method       System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
Dispose                   Method       void Dispose(), void IDisposable.Dispose()
EndInit                   Method       void EndInit(), void ISupportInitialize.EndInit()
Equals                    Method       bool Equals(System.Object obj)
GetHashCode               Method       int GetHashCode()
GetLifetimeService        Method       System.Object GetLifetimeService()
GetType                   Method       type GetType()
get_Container             Method       System.ComponentModel.IContainer get_Container()
get_EnableRaisingEvents   Method       bool get_EnableRaisingEvents()
get_Entries               Method       System.Diagnostics.EventLogEntryCollection get_Entries()
get_Log                   Method       string get_Log()
get_LogDisplayName        Method       string get_LogDisplayName()
get_MachineName           Method       string get_MachineName()
get_MaximumKilobytes      Method       long get_MaximumKilobytes()
get_MinimumRetentionDays  Method       int get_MinimumRetentionDays()
get_OverflowAction        Method       System.Diagnostics.OverflowAction get_OverflowAction()
get_Site                  Method       System.ComponentModel.ISite get_Site(), System.ComponentModel.ISite IComponent.get_Site()
get_Source                Method       string get_Source()
get_SynchronizingObject   Method       System.ComponentModel.ISynchronizeInvoke get_SynchronizingObject()
InitializeLifetimeService Method       System.Object InitializeLifetimeService()
ModifyOverflowPolicy      Method       void ModifyOverflowPolicy(System.Diagnostics.OverflowAction action, int retentionDays)
RegisterDisplayName       Method       void RegisterDisplayName(string resourceFile, long resourceId)
remove_Disposed           Method       void remove_Disposed(System.EventHandler value), void IComponent.remove_Disposed(System.EventHandler value)
remove_EntryWritten       Method       void remove_EntryWritten(System.Diagnostics.EntryWrittenEventHandler value)
set_EnableRaisingEvents   Method       void set_EnableRaisingEvents(bool value)
set_Log                   Method       void set_Log(string value)
set_MachineName           Method       void set_MachineName(string value)
set_MaximumKilobytes      Method       void set_MaximumKilobytes(long value)
set_Site                  Method       void set_Site(System.ComponentModel.ISite value), void IComponent.set_Site(System.ComponentModel.ISite value)
set_Source                Method       void set_Source(string value)
set_SynchronizingObject   Method       void set_SynchronizingObject(System.ComponentModel.ISynchronizeInvoke value)
ToString                  Method       string ToString()
WriteEntry                Method       void WriteEntry(string message), void WriteEntry(string message, System.Diagnostics.EventLogEntryType type), void WriteEntry(...
WriteEvent                Method       void WriteEvent(System.Diagnostics.EventInstance instance, Params System.Object[] values), void WriteEvent(System.Diagnostics...
Container                 Property     System.ComponentModel.IContainer Container {get;}
EnableRaisingEvents       Property     bool EnableRaisingEvents {get;set;}
Entries                   Property     System.Diagnostics.EventLogEntryCollection Entries {get;}
Log                       Property     string Log {get;set;}
LogDisplayName            Property     string LogDisplayName {get;}
MachineName               Property     string MachineName {get;set;}
MaximumKilobytes          Property     long MaximumKilobytes {get;set;}
MinimumRetentionDays      Property     int MinimumRetentionDays {get;}
OverflowAction            Property     System.Diagnostics.OverflowAction OverflowAction {get;}
Site                      Property     System.ComponentModel.ISite Site {get;set;}
Source                    Property     string Source {get;set;}
SynchronizingObject       Property     System.ComponentModel.ISynchronizeInvoke SynchronizingObject {get;set;}


PS C:\>  $b[10]

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
 600,576     -1 DoNotOverwrite      1,018,834 Security


PS C:\>  $b[10].get_OverflowAction()
DoNotOverwrite
PS C:\>
PS C:\>  $b[0]

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded      30,331 Application


PS C:\>  $b[0].get_Entries()[0]

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    2498 Jul 04 13:14  Error       SideBySide             3238068257 Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8...

PS C:\> $b[0].get_Entries()[100..110]

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    2598 Oct 10 17:35  Information VCFw                            0 The description for Event ID '0' in Source 'VCFw' cannot be found.  The local computer may not ...
    2599 Oct 10 17:35  Information SecurityCenter                  1 The Windows Security Center Service has started.
    2600 Oct 10 17:35  Information Microsoft-Windows...         1001 Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record ...
    2601 Oct 10 17:35  Information Microsoft-Windows...         1000 Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record D...
    2602 Oct 10 17:38  0           Software Protecti...   1073742727 The Software Protection service has stopped....
    2603 Oct 10 17:39  Information MSSQL$DDNI             1073758961 Starting up database 'Oasis'.
    2604 Oct 10 17:48  Error       Google Update                  20 The description for Event ID '20' in Source 'Google Update' cannot be found.  The local compute...
    2605 Oct 10 17:50  Information Windows Error Rep...         1001 Fault bucket , type 0...
    2606 Oct 10 17:55  Information Windows Error Rep...         1001 Fault bucket , type 0...
    2607 Oct 10 18:01  Error       Google Update                  20 The description for Event ID '20' in Source 'Google Update' cannot be found.  The local compute...
    2608 Oct 10 18:01  0           Microsoft-Windows...          258 The disk defragmenter successfully completed analysis on Windows (C:)


PS C:\> $b[0].get_Entries()[100..110].EventID
0
1
1001
1000
903
17137
20
1001
1001
20
258

PS C:\> $b[0].get_Entries()[100..110].get_EventID()
0
1
1001
1000
903
17137
20
1001
1001
20
258

PS C:\>  $b[0].Entries.count
30331

PS C:\>  $b[0].get_Entries()[0,30324]

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    2498 Jul 04 13:14  Error       SideBySide             3238068257 Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8...
   32822 Sep 11 09:12  Information gusvc                           0 The description for Event ID '0' in Source 'gusvc' cannot be found.  The local computer may not...


PS C:\>  $b[0].get_Entries()[0,30324] | gm


   TypeName: System.Diagnostics.EventLogEntry

Name                      MemberType     Definition
----                      ----------     ----------
Disposed                  Event          System.EventHandler Disposed(System.Object, System.EventArgs)
CreateObjRef              Method         System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
Dispose                   Method         void Dispose(), void IDisposable.Dispose()
Equals                    Method         bool Equals(System.Diagnostics.EventLogEntry otherEntry), bool Equals(System.Object obj)
GetHashCode               Method         int GetHashCode()
GetLifetimeService        Method         System.Object GetLifetimeService()
GetObjectData             Method         void ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.Streamin...
GetType                   Method         type GetType()
InitializeLifetimeService Method         System.Object InitializeLifetimeService()
ToString                  Method         string ToString()
Category                  Property       string Category {get;}
CategoryNumber            Property       int16 CategoryNumber {get;}
Container                 Property       System.ComponentModel.IContainer Container {get;}
Data                      Property       byte[] Data {get;}
EntryType                 Property       System.Diagnostics.EventLogEntryType EntryType {get;}
Index                     Property       int Index {get;}
InstanceId                Property       long InstanceId {get;}
MachineName               Property       string MachineName {get;}
Message                   Property       string Message {get;}
ReplacementStrings        Property       string[] ReplacementStrings {get;}
Site                      Property       System.ComponentModel.ISite Site {get;set;}
Source                    Property       string Source {get;}
TimeGenerated             Property       datetime TimeGenerated {get;}
TimeWritten               Property       datetime TimeWritten {get;}
UserName                  Property       string UserName {get;}
EventID                   ScriptProperty System.Object EventID {get=$this.get_EventID() -band 0xFFFF;}


PS C:\>  ($b[0].get_Entries()[0,30324]).TimeGenerated

Sunday, July 04, 2010 1:14:23 PM
Tuesday, September 11, 2012 9:12:48 AM


PS C:\> $TG=($b[0].get_Entries()[0,30324]).TimeGenerated
PS C:\> $TG  | gm -s


   TypeName: System.DateTime

Name            MemberType Definition
----            ---------- ----------
Compare         Method     static int Compare(datetime t1, datetime t2)
DaysInMonth     Method     static int DaysInMonth(int year, int month)
Equals          Method     static bool Equals(datetime t1, datetime t2), static bool Equals(System.Object objA, System.Object objB)
FromBinary      Method     static datetime FromBinary(long dateData)
FromFileTime    Method     static datetime FromFileTime(long fileTime)
FromFileTimeUtc Method     static datetime FromFileTimeUtc(long fileTime)
FromOADate      Method     static datetime FromOADate(double d)
IsLeapYear      Method     static bool IsLeapYear(int year)
Parse           Method     static datetime Parse(string s), static datetime Parse(string s, System.IFormatProvider provider), static datetime Parse(string s, System...
ParseExact      Method     static datetime ParseExact(string s, string format, System.IFormatProvider provider), static datetime ParseExact(string s, string format,...
ReferenceEquals Method     static bool ReferenceEquals(System.Object objA, System.Object objB)
SpecifyKind     Method     static datetime SpecifyKind(datetime value, System.DateTimeKind kind)
TryParse        Method     static bool TryParse(string s, [ref] datetime result), static bool TryParse(string s, System.IFormatProvider provider, System.Globalizati...
TryParseExact   Method     static bool TryParseExact(string s, string format, System.IFormatProvider provider, System.Globalization.DateTimeStyles style, [ref] date...
MaxValue        Property   static datetime MaxValue {get;}
MinValue        Property   static datetime MinValue {get;}
Now             Property   datetime Now {get;}
Today           Property   datetime Today {get;}
UtcNow          Property   datetime UtcNow {get;}  

PS C:\>  $TG[1]-$TG[0]


Days              : 799
Hours             : 19
Minutes           : 58
Seconds           : 25
Milliseconds      : 0
Ticks             : 691055050000000
TotalDays         : 799.832233796296
TotalHours        : 19195.9736111111
TotalMinutes      : 1151758.41666667
TotalSeconds      : 69105505
TotalMilliseconds : 69105505000



PS C:\>  ($TG[1]-$TG[0]).Days
799

PS C:\> ($b[0].get_Entries().EventID) | group -noelement | sort -desc -property Count

Count Name
----- ----
 5017 0
 2780 257
 2310 1035
 1079 17137
  917 1001
  885 1040
  882 1042
  858 4107
  798 8224
  776 10000
  765 10001
  644 1033
  560 11728
  475 11707
  470 1904
  420 1
  409 8194
  387 1003
  253 301
  249 1000
  244 1036
  244 1022
  227 26048
  216 9666
  205 102
  199 6000
  195 900
  195 902
  195 1066
  192 903
  188 3454
  175 17403
  172 1002
  166 35
  133 1531
  133 4625
  131 5617
  131 5615
  128 2000
  127 4101
  125 3407
  125 258
  124 300
  124 302
  124 3406
  120 17401
  119 17199
  119 26018
  119 3408
  119 17126
  119 26037
  119 17111
  119 15268
  119 17162
  119 17110
  119 18496
  119 17101
...

PS C:\>  $d=($b[0].get_Entries())| Select EventID,Message
PS C:\>  $d.count
30330

PS C:\> $d[0..10] | ft -auto -wrap

EventID Message
------- -------
     33 Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe".
        Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
        Please use sxstrace.exe for detailed diagnosis.
     33 Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe".
        Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
        Please use sxstrace.exe for detailed diagnosis.
     33 Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe".
        Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
        Please use sxstrace.exe for detailed diagnosis.
     33 Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe".
        Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
        Please use sxstrace.exe for detailed diagnosis.
...

PS C:\>  $d | group -property EventID -noelement | sort -desc -property Count

Count Name
----- ----
 5017 0
 2780 257
 2310 1035
 1079 17137
  917 1001
  885 1040
  882 1042
  858 4107
  797 8224
  776 10000
  765 10001
  644 1033
  560 11728
  475 11707
  470 1904
  420 1
  409 8194
  387 1003
...

PS C:\> $e= ($d | group -property Message -noelement | sort -desc -property Count)
PS C:\> $e.count
9644

PS C:\> $e.Values[0,1,2]
The description for Event ID '0' in Source 'gupdate' cannot be found.  The local computer may not have the necessary registry information or message DLL files to displ
ay the message, or you may not have permission to access them.  The following information is part of the event:'Service stopped'
The description for Event ID '0' in Source 'gupdate' cannot be found.  The local computer may not have the necessary registry information or message DLL files to displ
ay the message, or you may not have permission to access them.  The following information is part of the event:'Service started'
Failed extract of third-party root list from auto update cab at: with e
rror: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
...