Scribd
Upload
8 views

DFIR - Log Analysis

Uploaded by

Dave Hu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views

DFIR - Log Analysis

Uploaded by

Dave Hu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

COMP SCI 355

Log Analysis

Professor Dr. Yan Chen &


Jibran Ilyas
No matter how smart the attackers are, they
are likely to leave evidence behind. Log
Analysis is one of the main pillars of incident
response as the log generated by
Networking devices, Operating Systems and
Security applications are likely places for
discovering attacker activity. Log Collection
done right is critical for Incident Response.
Objectives

• Learn about the type of logs used in IR

• Learn about best ways of collecting the logs

• Learn about log correlation / SIEM appliances


• Learn about SIEM best practices

• Learn about Log Retention Principles

3
Log examples

4
Why is Log Analysis Important for IR

+ Since every event cannot be


categorized as the one that
requires third party involvement,
Log Analysis are conducted by
companies’ Security Operations
Center or Network Team to
determine the criticality of an alert
INCREASING
PERCEIVED
One example of big loss because of BUSINESS
lack of Log Availability: At RISK
ChoicePoint, 40 million cards were
not stolen; they just couldn’t prove
they weren’t.

5
Common Log Sources

Networking • Routers, Switches


Devices
Security • Firewalls, IDS, IPS, Web Proxy
Devices
Authentication • Active Directory, RAS
Services
Operating • Windows, Linux, AIX, Solaris, MAC
Systems
• Databases, Email (OWA), Web
Applications Servers
Routers / Switches

Common Router Logs for IR:

+ Who logged in to the device and the source of access

+ Violations against the access list set up on the router

Common Switch Logs for IR:

+ Login Information

+ Assignment of DHCP IP address to NIC cards (very important to track)

7
Firewall Logs

Firewalls logs can give you the following key information:

+ Who (ip address) is trying to access what from the Internet

+ Which systems behind the firewall are infected (analysis on Command &
Control traffic from the infected hosts)

+ Network Reconnaissance Activity (External and Internal)

+ Virtual Private Network (VPN) access

+ Traffic between different network segments e.g. Users, Servers, DMZ, PCI,
etc.
8
Firewall Logs (cont.)
Common Log Fields
• Date and Time of request
Date & Time
• IP of system requesting access
Source IP address
• Targeted IP for access
Destination IP address
• e.g. TCP/UDP
Protocol
• Random port chosen by OS
Source port
• Port of application targeted
Destination port
• Accept or Deny
Rule Status
• Number of Bytes Transferred
Bytes
9
Firewall Logs (cont.)
VPN Analysis

Firewalls enable VPN access, hence the VPN logs are generated by the firewalls
as well. Here are some tips on analyzing VPN Logs:

+ Check the failure frequency of usernames attempted and block source IP


addresses

+ Check the Source IP of all users and if unexpected countries’ IPs (or Cloud
Hosting Providers) are logging in, then consider asking corresponding user
and block accordingly

+ If a single user logs in from two distinct IP addresses at the same time,
investigate the IPs and make user change the password accordingly.
10
Other Networking Devices
(IDS, IPS, Web Proxy)

Intrusion Detection Systems/Intrusion Prevention Systems:

+ What network packets are flagged to be suspicious

+ Which packets were blocked by IPS rules

+ When IDS/IPS rules were updated

Web Proxy Logs:


+ Which Client System is trying to access what URL and if the request was
granted or blocked
11
Authentication Services

Domain Controller Logs can provide info on:

+ User Accounts Creations

+ Access Rights Assignments

+ Object (File, Folder, Computer) Access Information

+ Logon information on end points and servers with details on the connections
such as Source IP address, Source Host Name and Type of Logon

+ RAS Logs can give you Caller Information (Source IP) and which server the
logged in user made access to
12
Operating System Logs
Windows

Windows Operating System Logs can provide you the following key evidence:

+ Who logged on to the system and what time (Local and Remote access)

+ Which Windows Services were created / Which services started or failed

+ Which users were created recently

+ What Scheduled Tasks ran with details on success or failure

+ Application execution success and failure with details

13
Operating System Logs
Windows (cont.)
• These contain a record of users who
connected to a system (Event IDs 528, 540,
4624 or 4648), when they disconnected
Security (Event IDs 538, 4634), failed logon attempts
(529, 4625),, etc.

• These contain system events, such as when


times were changed, when services were
installed, started and stopped, and more.
System

• These logs are the default location


for applications, such as antivirus,
Application to send their log events.

14
Operating System Logs
Linux

Linux Operating System Logs can provide you the following key evidence:

+ Who logged on to the system and what time (Local and Remote access)

+ Which programs started on boot up


+ Which commands were run with sudo permissions

+ Which users were created recently

+ What Cron job ran with details on success or failure

+ Application execution success and failure with details

15
Operating System Logs
Linux (cont.)
• These contain a record of users who
connected to a system (Event IDs 528, 540,
4624 or 4648), when they disconnected
Security (Event IDs 538, 4634), failed logon attempts
(529, 4625),, etc.

• These contain system events, such as when


times were changed, when services were
installed, started and stopped, and more.
System

• These logs are the default location


for applications, such as antivirus,
Application to send their log events.

16
Applications

Database Logs
+ Login Information and User Access Tracking on Database Tables

+ Info on who ran which query at what time

Email (Outlook Web Access Logs)


+ Which Mailbox was accessed by Which IP address at What Time

Web Server Logs


+ Which IP address accessed what part of the webpage & access type (GET/POST)

17
Web Server Logs (cont.)
Common Log Fields
• Date and Time of Request
Date / Time
• IP of system requesting access
Source IP address
• Targeted IP for access
Destination IP address
• GET vs. POST
Request Type
• Source Browser (Mozilla, Safari, etc.)
User Agent
• Full Path of Webpage Requested
Query
• 200 is for success; 404 is for deny
HTTP Status Code
• Number of Bytes Transferred
Bytes
18
Logging Essentials

• Logging must be set with Incident Response


Operations in mind (e.g. setup traps)

• All logging devices must get time from the same


NTP server
• Logs shall be sent to a central device right away
to defeat attackers’ log deletion tricks

• Logs shall utilize a visualization tool like SIEM to


see trends and correlations (event vs. incident)

19
SIEM (Security information and event management)

> Centralization

> Aggregation

> Correlation
20
Log Analysis
Live Example

You might also like