I published a 4 Part Series on sources that can be used to aid in digital forensics investigations.
This is Part 4: Logs.
Side note: I have 3 more weeks left in this semester!
Digital forensics can be described as the science of identifying, extracting, and preserving computer logs, files, cookies, cache, meta-data, internet searches, and any other legally admissible evidence that could be used to solve crimes committed using internet connected infrastructure.
Although most investigations focus on computers, evidence is not limited to workstations and laptops. In recent years, forensics teams have expanded their searches to include social networks, file sharing solutions, cloud service providers, mobile devices, third party applications, and more.
Complicating matters further, some people access the internet from different devices and use multiple web browsers daily, including as Internet Explorer, Chrome, and Firefox. Therefore, forensics investigations can involve correlating multi-device URL visits, cookies, time data was accessed, search terms, caches, and downloaded files.
This post will assess log artifacts that could be used in a digital forensics investigation. The event types are limited to network intrusion detection, malware installation, and file deletion.
The analysis will include commentary about challenges that are common when gathering and inspecting the forensics data. Security professionals must also understand the usefulness of forensics data, so the discussion will include an analysis of how logs should be prioritized during investigations.
The forensics rankings used:
- Primary Sources=most likely to have relevant data
- Secondary Sources=may contain relevant data
- Tertiary Sources=may contain supporting data.
System logs provide digital footprints and time stamps of exactly what occurred on a device at any given time, actions taken, and can usually tie changes back to specific users.
Logs are so important to businesses that regulations, such as the Federal Rules of Civil Procedure (FRCP), require corporations to securely manage logs for incident response support and forensic analysis in potential breaches or crimes.
All logs are not created equal and can quickly overwhelm security staff if excessive logs are captured that provide little security value.
For example, firewalls can generate millions of debug logs daily that have no intrinsic value to investigations, so companies are advised against storing irrelevant debug data.
As a security engineer for Tripwire, we typically advise clients to prioritize capturing the following logs at minimum:
- Network device
- Business critical server audit
- Critical system file change
- User authentication
- Business critical database
- Logs of all actions tied to administrator accounts for offsite storage
- Active directory
- Management account
- Security appliances and/or applications
It is important to note that system and audit logging differs among operating systems and network infrastructure.
For example, root is used for administrator and elevated privileges in Unix systems, but not Windows. Therefore, security staff should build their logging strategy according to vendor best practices.
More importantly, security professionals should consult with business units, including legal, to align the strategy with business requirements. This will ensure that all regulatory mandates are covered and that risks are being properly evaluated from a holistic approach.
Log Collection & Examination Challenges
The biggest log collection & examination challenge is overwhelming amounts of data being generated daily. The Cloud Security Alliance estimates that some large enterprises generate 1 trillion events per day, a number that can grow as more data sources are added as more people or hired or more data gets moved to the cloud.
Another issue is gaps in logs. Although the number 1 control on the Top 20 Critical Security Controls is asset management, many companies still struggle with identifying and classifying all of their assets.
If the business is not aware assets exist, then they cannot log the security events needed to aid in forensics investigations.
Finally, extremely large and disparate data sets make it nearly impossible for forensics experts to correlate actionable intelligence with criminal activity.
Chief Security Officer Preston Woods concurs. During a 2012 interview, he states that his direct reports are, “swimming in data but had a hard time turning that into action”.
If the people on teams that are familiar with their environments are overwhelmed, then it will be extremely difficult for investigators to compile cohesive logs that contain actionable intelligence.
These challenges show that the biggest log collection and examination issues organizations face are the voluminous amounts of data being generated.
Log Priority in Intrusions, Malware, and File Deletion Events
Similar to other forensics sources, logs can contain relevant forensics data to help reconstruct all events on a system and tie actions to specific users. However, the value of the log data will be determined by whether gaps exist, proper events were logged on each system, and the availability of archived logs during the time frame in question.
Many companies only store logs for the amount of time and quantity required by law, and their data retention policies govern which logs are kept for specific purposes. Although logs are useful for forensic investigations, they are more important to some events types than others.
Let’s review prioritization aspects of logs in network intrusions, malware installs, and file deletions.
Log Priority in Network Intrusions: Primary
Logs from intrusion detection/prevention systems, firewalls, routers, and switches are critical during network intrusion investigations.
In the event of a breach, logs from network infrastructure should be the first data sources under review. These logs can be correlated in security analytics tools to establish a timeline of events and help determine what actions should be taken.
Log Priority Malware Installations: Secondary
Logs can be a good source of relevant data for malware installations, but evidence of malware will usually appear in file system changes first.
For example, malware typically alters critical system files to phone home to command and control servers as an authenticated user to hide itself as long as possible. The fact that the user is authenticated will allow the activity to continue unnoticed.
[Related: Malware: How it hides, detects, and reacts]
In my professional experience, changes to critical system files, such as .dll files, will identify the anomalous activity.
For this reason, logs are considered secondary sources for malware installations.
Log Priority in Insider File deletions: Primary
Logs can be modified or deleted to cover up evidence of tampering and malicious activity. It can be used in certain situations for attribution depending on the level of logging on the systems, but it is not the most reliable form of attribution. Therefore, logs are secondary for file system deletions.
Summary of key findings:
Logs provide digital footprints and time stamps of exactly what occurred on a device at any given time, actions taken, and can usually tie changes back to specific users. The main issues with logs include gaps in coverage, availability of archived log data, and voluminous amounts of data that can be overwhelming.
All data sources are not created equal, and security professionals must understand how to rank sources by the order of importance.
Logs are a primary forensics data source in network intrusions and insider file deletions. However, logs are a secondary source in malware investigations because evidence typically presents itself in file system changes first.
This concludes my 4 part series on data sources in digital forensics investigations.