NETWORK FORENSICS AND INVESTIGATING LOGS

Objectives

• Look for evidence • Perform an end-to-end forensic investigation • Use log files as evidence • Evaluate log file accuracy and authenticity

• Understand the importance of audit logs • Understand Syslog • Understand Linux process accounting • Configure Windows logging • Understand NTP

 

Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data.

Network Time Protocol (NTP) is an Internet standard protocol that is used to synchronize the clocks of client computers.

Introduction to Network Forensics and Investigating Logs

This article focuses on network forensics and investigating logs. It starts by defining network forensics and describing the tasks associated with a forensic investigation. The article then covers log files and their use as evidence. The article concludes with a discussion about time synchronization.

Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. Capturing network traffic over a network is simple in theory, but relatively complex in practice. This is because of the large amount of data that flows through a network and the complex nature of Internet protocols. Because recording network traffic involves a lot of resources, it is often not possible to record all of the data flowing through the network. An investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis.

 

Analyzing Network Data

The analysis of recorded data is the most critical and most time-consuming task. Although there are many automated analysis tools that an investigator can use for forensic purposes, they are not sufficient, as there is no foolproof method for discriminating bogus traffic generated by an attacker from genuine traffic. Human judgment is also critical because, with automated traffic analysis tools, there is always a chance of a false positive. An investigator needs to perform network forensics to determine the type of attack over a network and to trace out the culprit. The investigator needs to follow proper investigative procedures so that the evidence recovered during the investigation can be produced in a court of law.

Network forensics can reveal the following information:

• How an intruder entered the network

• The path of intrusion

• The intrusion techniques an attacker used

• Traces and evidence

 

Network forensics investigators cannot do the following:

• Solve the case alone

• Link a suspect to an attack

 

Looking for Evidence

An investigator can find evidence from the following:

• From the attacked computer and intermediate computers: This evidence is in the form of logs, files, ambient data, and tools.

• From firewalls: An investigator can look at a firewall’s logs. If the firewall itself was the victim, the investigator treats the firewall like any other device when obtaining evidence.

• From internetworking devices: Evidence exists in logs and buffers as available.

• From the victim computer: An investigator can find evidence in logs, files, ambient data, altered configuration files, remnants of Trojaned files, files that do not match hash sets, tools, Trojans and viruses, stored stolen files, Web defacement remnants, and unknown file extensions.

End-To-End Forensic Investigation

An end-to-end forensic investigation involves following basic procedures from beginning to end. The following are some of the elements of an end-to-end forensic trace: 

• The end-to-end concept: An end-to-end investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked.

• Locating evidence: Once an investigator knows what devices were used during the attack, he or she can search for evidence on those devices. The investigator can then analyze that evidence to learn more about the attack and the attacker.

• Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls include the following:

• An investigator or network administrator may mistake normal computer or network activity for attack activity.

• There may be gaps in the chain of evidence.

• Logs may be ambiguous, incomplete, or missing.

• Since the Internet spans the globe, other nations may be involved in the investigation. This can create legal and political issues for the investigation.

• Event analysis: After an investigator examines all of the information, he or she correlates all of the events and all of the data from the various sources to get the whole picture.

  

Log Files as Evidence

Log files are the primary recorders of a user’s activity on a system and of network activities. An investigator can both recover any services altered and discover the source of illicit activities using logs. Logs provide clues to investigate. The basic problem with logs is that they can be altered easily. An attacker can easily insert false entries into log files. An investigator must be able to prove in court that logging software is correct. Computer records are not normally admissible as evidence; they must meet certain criteria to be admitted at all. The prosecution must present appropriate testimony to show that logs are accurate, reliable, and fully intact. A witness must authenticate computer records presented as evidence.

 

The legality of Using Logs

The following are some of the legal issues involved with creating and using logs that organizations and investigators must keep in mind:

• Logs must be created reasonably contemporaneously with the event under investigation.

• Log files cannot be tampered with.

• Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record, therefore, reflects the a priori knowledge of the programmer and system administrator.

• Logs must be kept as a regular business practice.

• Random compilations of data are not admissible.

• Logs instituted after an incident has commenced do not qualify under the business records exception; they do not reflect the customary practice of an organization.

• If an organization starts keeping regular logs now, it will be able to use the logs as evidence later.

• A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the programmer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced.

• A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software.

• A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence.

• If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect.

• In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization.

• An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order.

• The original copies of any log files are preferred.

• A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped with computers that have USB or SCSI interfaces.

READ MORE: BUSINESS AND FINANCIAL RISK EXPERT IN NIGERIA