NETWORK FORENSICS AND INVESTIGATING LOGS
COMPUTER FORENSICS INVESTIGATING NETWORK





Objectives
• Look for evidence • Perform an end-to-end forensic investigation • Use log files as evidence • Evaluate log file accuracy and authenticity
• Understand the importance of audit logs • Understand Syslog • Understand Linux process accounting • Configure Windows logging • Understand NTP
Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data.
Network Time Protocol (NTP) is an Internet standard protocol that is used to synchronize the clocks of client computers.
Introduction to
Network Forensics and Investigating Logs
This article focuses on network forensics and investigating logs. It starts by defining network forensics and describing the tasks associated with a forensic investigation. The article then covers log files and their use as evidence. The article concludes with a discussion about time synchronization.
Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. Capturing network traffic over a network is simple in theory, but relatively complex in practice. This is because of the large amount of data that flows through a network and the complex nature of Internet protocols. Because recording network traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network. An investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis.
Analyzing
Network Data
The analysis of recorded data is the most critical and most time-consuming task. Although there are many automated analysis tools that an investigator can use for forensic purposes, they are not sufficient, as there is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic. Human judgment is also critical because, with automated traffic analysis tools, there is always a chance of a false positive. An investigator needs to perform network forensics to determine the type of attack over a network and to trace out the culprit. The investigator needs to follow proper investigative procedures so that the evidence recovered during the investigation can be produced in a court of law.
Network forensics can reveal the following information:
• How an intruder entered the network
• The path of intrusion
• The intrusion techniques an attacker used
• Traces and evidence
Network forensics investigators cannot do the following:
• Solve the case alone
• Link a suspect to an
attack
Looking
for Evidence
An investigator can find
evidence from the following:
• From the attacked
computer and intermediate computers: This evidence is in the form of logs,
files, ambient data, and tools.
• From firewalls: An
investigator can look at a firewall’s logs. If the firewall itself was the
victim, the investigator treats the firewall like any other device when
obtaining evidence.
• From internetworking
devices: Evidence exists in logs and buffers as available.
• From the victim
computer: An investigator can find evidence in logs, files, ambient data, altered
configuration files, remnants of Trojaned files, files that do not match hash
sets, tools, Trojans and viruses, stored stolen files, Web defacement remnants,
and unknown file extensions.
End-To-End
Forensic Investigation
An end-to-end forensic investigation involves following basic procedures from beginning to end. The following are some of the elements of an end-to-end forensic trace:
• The end-to-end concept: An end-to-end investigation
tracks all elements of an attack, including how the attack began, what
intermediate devices were used during the attack, and who was attacked.
• Locating evidence: Once an investigator knows
what devices were used during the attack, he or she can search for evidence on
those devices. The investigator can then analyze that evidence to learn more about
the attack and the attacker.
• Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls include the following:
• An investigator or
network administrator may mistake normal computer or network activity for attack
activity.
• There may be gaps in
the chain of evidence.
• Logs may be
ambiguous, incomplete, or missing.
• Since the Internet spans the globe, other nations may be involved in the investigation. This can create legal and political issues for the investigation.
• Event analysis: After an investigator examines all of the
information, he or she correlates all of the events and all of the data from
the various sources to get the whole picture.
Log Files as
Evidence
Log files are the primary recorders of a user’s activity on a system and of network activities. An investigator can both recover any services altered and discover the source of illicit activities using logs. Logs provide clues to investigate. The basic problem with logs is that they can be altered easily. An attacker can easily insert false entries into log files. An investigator must be able to prove in court that logging software is correct. Computer records are not normally admissible as evidence; they must meet certain criteria to be admitted at all. The prosecution must present appropriate testimony to show that logs are accurate, reliable, and fully intact. A witness must authenticate computer records presented as evidence.
The legality of Using Logs
The following are some
of the legal issues involved with creating and using logs that organizations
and investigators must keep in mind:
• Logs must be created
reasonably contemporaneously with the event under investigation.
• Log files cannot be
tampered with.
• Someone with
knowledge of the event must record the information. In this case, a program is doing
the recording; the record, therefore, reflects the a priori knowledge of the
programmer and system administrator.
• Logs must be kept as
a regular business practice.
• Random compilations
of data are not admissible.
• Logs instituted after
an incident has commenced do not qualify under the business records exception; they
do not reflect the customary practice of an organization.
• If an organization
starts keeping regular logs now, it will be able to use the logs as evidence
later.
• A custodian or other
qualified witness must testify to the accuracy and integrity of the logs. This process
is known as authentication. The custodian need not be the programmer who wrote
the logging software; however, he or she must be able to offer testimony on
what sort of system is used, where the relevant software came from, and how and
when the records are produced.
• A custodian or other
qualified witness must also offer testimony as to the reliability and integrity
of the hardware and software platform used, including the logging software.
• A record of failures
or of security breaches on the machine creating the logs will tend to impeach the
evidence.
• If an investigator
claims that a machine has been penetrated, log entries from after that point
are inherently suspect.
• In a civil lawsuit
against alleged hackers, anything in an organization’s own records that would
tend to exculpate the defendants can be used against the organization.
• An organization’s own
logging and monitoring software must be made available to the court so that the
defense has an opportunity to examine the credibility of the records. If an
organization can show that the relevant programs are trade secrets, the
organization may be allowed to keep them secret or to disclose them to the
defense only under a confidentiality order.
• The original copies
of any log files are preferred.
• A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped with computers that have USB or SCSI interfaces.