The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
2. AGENDA OF DAY
ï‚¢ Look for evidence
ï‚¢ Perform an end-to-end forensic investigation
ï‚¢ Use log files as evidence
ï‚¢ Evaluate log file accuracy and authenticity
ï‚¢ Understand the importance of audit logs
ï‚¢ Understand syslog
ï‚¢ Understand Linux process accounting
ï‚¢ Configure Windows logging
ï‚¢ Understand NTP
3. KEY TERM
ï‚¢ Intrusion detection the process of tracking
unauthorized activity using techniques such as
inspecting user actions, security logs, or audit data
ï‚¢ Network Time Protocol (NTP) an Internet
standard protocol that is used to synchronize the
clocks of client computers
4. NETWORK FORENSICS
ï‚¢ Network forensics is the capturing, recording, and
analysis of network events in order to discover the
source of security attacks.
ï‚¢ An investigator needs to back up these recorded
data to free up recording media and to preserve the
data for future analysis
5. ANALYZING NETWORK DATA
ï‚¢ An investigator needs to perform network forensics
to determine the type of an attack over a network
and to trace out the culprit.
ï‚¢ The investigator needs to follow proper
investigative procedures so that the evidences
recovered during investigation can be produced in a
court of law.
ï‚¢ Network forensics can reveal the following
information:
ï‚— How an intruder entered the network
ï‚— The path of intrusion
ï‚— The intrusion techniques an attacker used
ï‚— Traces and evidence
6. THE INTRUSION PROCESS
Network intruders can enter a system using the
following methods:
Enumeration:
ï‚— Enumeration is the process of gathering information
about a network that may help an intruder attack the
network.
ï‚— Enumeration is generally carried out over the Internet.
The following information is collected during
enumeration:
• Topology of the network
• List of live hosts
• Network architecture and types of traffic (for
example, TCP, UDP, and IPX)
• Potential vulnerabilities in host systems
7. LOOKING FOR EVIDENCE
Vulnerabilities:
ï‚— An attacker identifies potential weaknesses in a system,
network, and elements of the network and then tries to
take advantage of those vulnerabilities.
ï‚— The intruder can find known vulnerabilities using various
scanners.
ï‚¢ Viruses: Viruses are a major cause of shutdown of network
components. A virus is a software program written to change
the behavior of a computer or other device on a network,
without the permission or knowledge of the user.
ï‚¢ Trojans: Trojan horses are programs that contain or install
malicious programs on targeted systems. These programs
serve as back doors and are often used to steal information
from systems.
8. CONT..
ï‚¢ E-mail infection: The use of e-mail to attack a network is
increasing. An attacker can use e-mail spamming and other
means to flood a network and cause a denial-of-service attack
ï‚¢ Router attacks: Routers are the main gateways into a
network, through which all traffic passes. A router attack can
bring down a whole network.
ï‚¢ Password cracking: Password cracking is a last resort for
any kind of attack.
9. LOOKING FOR EVIDENCE
ï‚¢ An investigator can find evidence from the
following:
ï‚— From the attack computer and intermediate
computers: This evidence is in the form of
logs, files, ambient data, and tools.
 From firewalls: An investigator can look at a firewall’s
logs. If the firewall itself was the victim, the investigator
treats the firewall like any other device when obtaining
evidence.
ï‚— From internetworking devices: Evidence exists in logs
and buffers as available.
10. LOOKING FOR EVIDENCE
ï‚— From the victim computer: An investigator can find
evidence in logs, files, ambient data, altered
configuration files, remnants of Trojaned files, files that
do not match hash sets, tools, Trojans and
viruses, stored stolen files, Web defacement
remnants, and unknown file extensions.
11. END-TO-END FORENSIC INVESTIGATION
ï‚¢ An end-to-end forensic investigation involves
following basic procedures from beginning to end.
ï‚¢ The end-to-end concept: An end-to-end
investigation tracks all elements of an
attack, including how the attack began, what
intermediate devices were used during the
attack, and who was attacked.
ï‚¢ Locating evidence: Once an investigator knows
what devices were used during the attack, he or
she can search for evidence on those devices. The
investigator can then analyze that evidence to learn
more about the attack and the attacker.
12. END-TO-END FORENSIC INVESTIGATION
ï‚¢ Pitfalls of network evidence collection: Evidence can be
lost in a few seconds during log analysis because logs
change rapidly. Sometimes, permission is required to
obtain evidence from certain sources,
ï‚¢ such as ISPs. This process can take time, which
increases the chances of evidence loss. Other pitfalls
ï‚¢ include the following:
ï‚— An investigator or network administrator may mistake normal
computer or network activity for attack activity.
ï‚— There may be gaps in the chain of evidence.
ï‚— Logs may be ambiguous, incomplete, or missing.
ï‚— Since the Internet spans the globe, other nations may be
involved in the investigation. This can create legal and
political issues for the investigation.
13. END-TO-END FORENSIC INVESTIGATION
ï‚¢ Event analysis: After an investigator examines all
of the information, he or she correlates all of the
events and all of the data from the various sources
to get the whole picture.
15. LEGALITY OF USING LOGS
ï‚¢ The following are some of the legal issues involved with
creating and using logs that organizations and
investigators must keep in mind :
ï‚¢ Logs must be created reasonably contemporaneously
with the event under investigation.
ï‚¢ Someone with knowledge of the event must record the
information. In this case, a program is doing the
recording; the record therefore reflects the a priori
knowledge of the programmer and system administrator.
ï‚¢ Logs must be kept as a regular business practice.
ï‚¢ Random compilations of data are not admissible.
16. LEGALITY OF USING LOGS
ï‚¢ If an organization starts keeping regular logs now, it will be
able to use the logs as evidence later.
ï‚¢ A custodian or other qualified witness must testify to the
accuracy and integrity of the logs. This process is known as
authentication. The custodian need not be the programmer
who wrote the logging software; however, he or she must be
able to offer testimony on what sort of system is used, where
the relevant software came from, and how and when the
records are produced.
ï‚¢ A custodian or other qualified witness must also offer
testimony as to the reliability and integrity of the hardware and
software platform used, including the logging software.
ï‚¢ A record of failures or of security breaches on the machine
creating the logs will tend to impeach the evidence
17. LEGALITY OF USING LOGS
ï‚¢ If an investigator claims that a machine has been
penetrated, log entries from after that point are
inherently suspect.
ï‚¢ In a civil lawsuit against alleged hackers, anything in an
organization’s own records that would tend to exculpate
the defendants can be used against the organization.
 An organization’s own logging and monitoring software
must be made available to the court so that the defense
has an opportunity to examine the credibility of the
records. If an organization can show that the relevant
programs are trade secrets, the organization may be
allowed to keep them secret or to disclose them to the
defense only under a confidentiality order.
18. LEGALITY OF USING LOGS
ï‚¢ The original copies of any log files are preferred.
ï‚¢ A printout of a disk or tape record is considered to
be an original copy, unless and until judges and
jurors are equipped computers that have USB or
SCSI interfaces.
19. EXAMINING INTRUSION AND SECURITY
EVENTS
ï‚¢ Examining intrusion and security events includes
both passive and active tasks.
ï‚¢ A detection of an intrusion that occurs after an
attack has taken place is called a post-attack
detection or passive intrusion detection.
ï‚— In these cases, the inspection of log files is the only
medium that can be used to evaluate and rebuild the
attack techniques.
ï‚— Passive intrusion detection techniques usually involve a
manual review of event logs and application logs.
ï‚— An investigator can inspect and analyze event log data
to detect attack patterns.
20. EXAMINING INTRUSION AND SECURITY
EVENTS
ï‚¢ There are many attack attempts that can be
detected as soon as the attack takes place.
ï‚¢ This type of detection is known as active intrusion
detection.
ï‚— Using this method, an administrator or investigator
follows the footsteps of the attacker and looks for known
attack patterns or commands, and blocks the execution
of those commands.
21. INTRUSION DETECTION
ï‚¢ Intrusion detection is the process of tracking unauthorized
activity using techniques such as inspecting user actions,
security logs, or audit data.
ï‚¢ There are various types of intrusions, including unauthorized
access to files and systems, worms, Trojans, computer
viruses, buffer overflow attacks, application redirection, and
identity and data spoofing.
ï‚¢ Intrusion attacks can also appear in the form of denial of
service, and DNS, e-mail, content, or data corruption.
ï‚¢ Intrusions can result in a change of user and file security
rights, installation of Trojan files, and improper data access.
ï‚¢ Administrators use many different intrusion detection
techniques, including evaluation of system logs and settings,
and deploying firewalls, antivirus software, and specialized
intrusion detection systems.
ï‚¢ Administrators should investigate any unauthorized or
malicious entry into a network or host.
22. USING MULTIPLE LOGS AS EVIDENCE
ï‚¢ Recording the same information in two different devices
makes the evidence stronger.
ï‚¢ Logs from several devices collectively support each other.
ï‚¢ Firewall logs, IDS logs, and TCPDump output can contain
evidence of an Internet user connecting to a specific server at
a given time.
23. MAINTAINING CREDIBLE IIS LOG FILES
ï‚¢ Many network administrators have faced serious Web server
attacks that have become legal issues.
ï‚¢ Web attacks are generally traced using IIS logs.
ï‚¢ Investigators must ask themselves certain questions before
presenting IIS logs in court, including:
ï‚— What would happen if the credibility of the IIS logs was challenged in
court?
ï‚— What if the defense claims the logs are not reliable enough to be
admissible as evidence?
ï‚¢ An investigator must secure the evidence and ensure that it is
accurate, authentic, and accessible.
ï‚¢ In order to prove that the log files are valid, the investigator
needs to present them as acceptable and dependable by
providing convincing arguments, which makes them valid
evidence.
24. LOG FILE ACCURACY
ï‚¢ The accuracy of IIS log files determines their credibility.
ï‚¢ Accuracy here means that the log files presented before the
court of law represent the actual outcome of the activities
related to the IIS server being investigated.
ï‚¢ Any modification to the logs causes the validity of the entire
log file being presented to be suspect.
25. LOGGING EVERYTHING
ï‚¢ In order to ensure that a log file is accurate, a network
administrator must log everything.
ï‚¢ Certain fields in IIS log files might seem to be less
significant, but every field can make a major contribution as
evidence.
ï‚¢ Therefore, network administrators should configure their IIS
server logs to record every field available.
ï‚¢ IIS logs must record information about Web users so that the
logs provide clues about whether an attack came from a
logged-in user or from another system.
ï‚¢ Consider a defendant who claims a hacker had attacked his
system and installed a back-door proxy server on his
computer. The attacker then used the back-door proxy to
attack other systems.
ï‚¢ In such a case, how does an investigator prove that the traffic
came from a specific user’s Web browser or that it was a
proxied attack from someone else?
26. EXTENDED LOGGING IN IIS SERVER
ï‚¢ Limited logging is set globally by default, so any new
Web sites created have the same limited logging. An
administrator can change the configuration of an IIS
server to use extended logging.
ï‚¢ The following steps explain how to enable extended
logging for an IIS Web/FTP server and change the
location of log files:
ï‚— Run the Internet Services Manager.
ï‚— Select the properties on the Web/FTP server.
ï‚— Select the Web site or FTP site tab.
ï‚— Check the Enable Loggingcheck box.
ï‚— Select W3C Extended Log File Formatfrom the drop-down
list.
ï‚— Go to Properties.
27. EXTENDED LOGGING IN IIS SERVER
ï‚¢ Click the Extended Properties tab, and set the
following properties accordingly:
ï‚— Client IP address
ï‚— User name
ï‚— Method
ï‚— URI stem
ï‚— HTTP status
ï‚— Win32 status
ï‚— User agent
ï‚— Server IP address
ï‚— Server port
ï‚¢ Select Daily for New Log Time Period below the
general Properties tab.
28. EXTENDED LOGGING IN IIS SERVER
ï‚¢ Select Use local time for file naming and overturn.
ï‚¢ Change the log file directory to the location of logs.
ï‚¢ Ensure that the NTFS security settings have the
following settings:
ï‚— Administrators - Full Control
ï‚— System - Full Contro
29. KEEPING TIME
ï‚¢ With the Windows time service, a network administrator can
synchronize IIS servers by connecting them to an external
time source.
ï‚¢ Using a domain makes the time service synchronous to the
domain controller. A network administrator can synchronize a
standalone server to an external time source by setting certain
registry entries:
Key:
HKLMSYSTEMCurrentControlSetServicesW32TimeParameters
Setting: Type
Type: REG_SZ
Value: NTP
Key:
HKLMSYSTEMCurrentControlSetServicesW32TimeParameters
Setting: NtpServer
Type: REG_SZ
Value: ntp.xsecurity.com
30. UTC TIME
ï‚¢ IIS records logs using UTC time, which helps in synchronizing
servers in multiple zones.
ï‚¢ Windows offsets the value of the system clock with the system
time zone to calculate UTC time.
ï‚¢ To check whether the UTC time is correct, a network
administrator must ensure that the local time zone setting is
accurate.
ï‚¢ The network administrator must verify that during the process
IIS is set to roll over logs using local time