Detecting frauds from log files

By Paladion

October 16, 2005

Which logging mechanism is best to trace back to the culprit in case of an application fraud, for example, when a fraudster may have illegally transferred money from somebody else’s account to his own account?

  1. Web-Server error logs
  2. Application logs
  3. W3C logs
  4. System logs

The best answer to this quiz is 2) Application logs

Logs record information about the activities of applications and its users. Logs are useful to perform diagnostic operations for troubleshooting or forensic analysis. Web applications have various levels and types of logs.

Option 1: Web-Server error logs: Web-server error logs contain diagnostic information and details about errors the web server encountered. However these logs do not contain any information about how the application behaves. Where somebody has done an illegal fund transfer, the web server will not record anything as there may not be any error at all at this level.

Option 2: Application logs: Application logs give a clearer picture of the activities of a particular user with the application. It can contain information like the transactions carried out, data entered into the application, failed login attempts or any other suspicious activity with the application. The logs can contain username, client IP address, date, time, etc for each operation. Hence, for a fund transfer operation the application log will contain information like the username, the bank accounts involved in the transaction, amount transferred, client IP address etc. These details can be used to detect a fraud and trace back to the culprit.

Option 3: W3C logs: W3C is a format for creating web-server log files. These records contain details about each HTTP request made to the web server along with information such as time, date, client IP, page requested, browser type, referrer page, cookie, HTTP protocol version and response code of the request. But while tracing back to the culprit, W3C logs can only give us information about the requests made to the application. They may not tell us about the exact activities of the fraudster with the application or the data entered into the application. So by looking at the W3C logs, we cannot get information like bank accounts, amount transferred, username, etc, which are required to detect a fraud and the culprit.

Option 4: System logs: System logs contain information about the system and applications. They can tell us about the operation of the web server, e.g., when did it start or shut down, but will not give us information about the interaction of the user with the application or any other high level detail. So, they too will also not record information about illegal fund transfers or other application frauds.

Read more about the best practices for application logs in this Palisade article by Dipesh.

Tags: Quiz