Basics of Forensics Log Analysis

balaji
By balaji

October 17, 2009

Often we hear about security incidents occurring in the world around us. Recently a PCIDSS complaint organization in US got hacked. Analyzing such an incident to discover its root cause and to find evidence to prove it is known as Forensic Analysis. Simply put, Forensics is all about discovering how, who, when and where of an incident.

forensic-log-analysis.jpg

Often we hear about security incidents occurring in the world around us. Recently a PCIDSS complaint organization in US got hacked. Analyzing such an incident to discover its root cause and to find evidence to prove it is known as Forensic Analysis. Simply put, Forensics is all about discovering how, who, when and where of an incident.

Forensics is done for various purposes with different goals:

  • Establishing the evidence of a crime / hack
  • Data recovery in case of unexpected events
  • Finding the vulnerability which allowed a hack
  • Tracking the activities of an employee

Log Analysis is an important part of Forensics. While analyzing an incident, it is very important to be clear in your goal. Collect the logs according to your needs. There may be various types of logs, which might not be useful for the incident under analysis. So, it is very important to understand the goal and collect appropriate logs.

Some logs which should be collected are listed below:

For Windows Operating System

  • Save the application logs from the event viewer.
  • Save the security logs from the event viewer.
  • Save the system logs from the event viewer.

For Linux Operating System

  • /var/log/message: For general message and system related stuff
  • /var/log/auth.log: Authenication logs
  • /var/log/kern.log: Kernel logs
  • /var/log/boot.log : System boot log
  • /var/log/utmp or /var/log/wtmp : Login records file

Other logs can be collected depending on the incident under analysis

  • In case of a network hack, collect logs of all the network devices lying in the route of the hacked device and the perimeter router (ISP router). Firewall rulebase may also be required in this case.
  • In case it is an unauthorized access, save the web server logs, application server logs, application logs, router or switch logs, firewall logs, database logs, IDS logs etc. This case we have to ensure that where-ever an authorization is present, we collect the log.
  • Incase of a Trojan / Virus / Worm attack, save the antivirus logs apart from the event logs (pertaining to the antivirus).

Also, there are certain things that should be avoided, such as:

  • Rebooting/formatting the infected system before obtaining the logs.
  • Cleaning/modifying/carrying out any activity on the infected machine, until the forensic analysis is completed.
  • Deleting/modifying any type of logs. This might destroy the evidence, present there.
  • Carrying out any activity that might modify the logs.
  • Hiding anything from Incident Response team.

Done with log collection, what next??

Now the collected logs have to be analyzed. Log Analysis can either be done manually or with the help of log analysis tools. There are several free and paid tools available for Log Analysis. These tools are very helpful. They take raw data as input and present the data in human readable format. These days Log Analysis tools support all types of formats of logs. A single tool can take Symantac Antivirus Logs, CISCO router logs, Windows event / security logs etc. for analysis.

Now apply various filters to the data presented by the tool, according to your needs and goal. These filters remove the unwanted data, and hence you can focus your analysis on the remaining data. Proceed ahead this way until the desired goal is achieved.

Thus, by combination of your manual analysis approach and the help of tools, a Forensic analysis can be done in an efficient way.


Tags: Technical

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset