SlideShare a Scribd company logo

NETWORK FORENSICS: INVESTIGATING LOGS FOR EVIDENCE

•Download as PPTX, PDF•
•
A
anilinvns

The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.

EducationTechnology
1 of 30
NETWORK FORENSICS AND INVESTIGATING LOGS
AGENDA OF DAY ï‚¢ Look for evidence ï‚¢ Perform an end-to-end forensic investigation ï‚¢ Use log files as evidence ï‚¢ Evaluate log file accuracy and authenticity ï‚¢ Understand the importance of audit logs ï‚¢ Understand syslog ï‚¢ Understand Linux process accounting ï‚¢ Configure Windows logging ï‚¢ Understand NTP
KEY TERM ï‚¢ Intrusion detection the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data ï‚¢ Network Time Protocol (NTP) an Internet standard protocol that is used to synchronize the clocks of client computers
NETWORK FORENSICS ï‚¢ Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. ï‚¢ An investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis
ANALYZING NETWORK DATA ï‚¢ An investigator needs to perform network forensics to determine the type of an attack over a network and to trace out the culprit. ï‚¢ The investigator needs to follow proper investigative procedures so that the evidences recovered during investigation can be produced in a court of law. ï‚¢ Network forensics can reveal the following information: ï‚— How an intruder entered the network ï‚— The path of intrusion ï‚— The intrusion techniques an attacker used ï‚— Traces and evidence
THE INTRUSION PROCESS Network intruders can enter a system using the following methods: Enumeration:  Enumeration is the process of gathering information about a network that may help an intruder attack the network.  Enumeration is generally carried out over the Internet. The following information is collected during enumeration: • Topology of the network • List of live hosts • Network architecture and types of traffic (for example, TCP, UDP, and IPX) • Potential vulnerabilities in host systems
LOOKING FOR EVIDENCE Vulnerabilities: ï‚— An attacker identifies potential weaknesses in a system, network, and elements of the network and then tries to take advantage of those vulnerabilities. ï‚— The intruder can find known vulnerabilities using various scanners. ï‚¢ Viruses: Viruses are a major cause of shutdown of network components. A virus is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user. ï‚¢ Trojans: Trojan horses are programs that contain or install malicious programs on targeted systems. These programs serve as back doors and are often used to steal information from systems.
CONT.. ï‚¢ E-mail infection: The use of e-mail to attack a network is increasing. An attacker can use e-mail spamming and other means to flood a network and cause a denial-of-service attack ï‚¢ Router attacks: Routers are the main gateways into a network, through which all traffic passes. A router attack can bring down a whole network. ï‚¢ Password cracking: Password cracking is a last resort for any kind of attack.
LOOKING FOR EVIDENCE  An investigator can find evidence from the following:  From the attack computer and intermediate computers: This evidence is in the form of logs, files, ambient data, and tools.  From firewalls: An investigator can look at a firewall’s logs. If the firewall itself was the victim, the investigator treats the firewall like any other device when obtaining evidence.  From internetworking devices: Evidence exists in logs and buffers as available.
LOOKING FOR EVIDENCE ï‚— From the victim computer: An investigator can find evidence in logs, files, ambient data, altered configuration files, remnants of Trojaned files, files that do not match hash sets, tools, Trojans and viruses, stored stolen files, Web defacement remnants, and unknown file extensions.
END-TO-END FORENSIC INVESTIGATION ï‚¢ An end-to-end forensic investigation involves following basic procedures from beginning to end. ï‚¢ The end-to-end concept: An end-to-end investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked. ï‚¢ Locating evidence: Once an investigator knows what devices were used during the attack, he or she can search for evidence on those devices. The investigator can then analyze that evidence to learn more about the attack and the attacker.
END-TO-END FORENSIC INVESTIGATION ï‚¢ Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, ï‚¢ such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls ï‚¢ include the following: ï‚— An investigator or network administrator may mistake normal computer or network activity for attack activity. ï‚— There may be gaps in the chain of evidence. ï‚— Logs may be ambiguous, incomplete, or missing. ï‚— Since the Internet spans the globe, other nations may be involved in the investigation. This can create legal and political issues for the investigation.
END-TO-END FORENSIC INVESTIGATION ï‚¢ Event analysis: After an investigator examines all of the information, he or she correlates all of the events and all of the data from the various sources to get the whole picture.
LOG FILE AS EVIDENCE
LEGALITY OF USING LOGS ï‚¢ The following are some of the legal issues involved with creating and using logs that organizations and investigators must keep in mind : ï‚¢ Logs must be created reasonably contemporaneously with the event under investigation. ï‚¢ Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record therefore reflects the a priori knowledge of the programmer and system administrator. ï‚¢ Logs must be kept as a regular business practice. ï‚¢ Random compilations of data are not admissible.
LEGALITY OF USING LOGS ï‚¢ If an organization starts keeping regular logs now, it will be able to use the logs as evidence later. ï‚¢ A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the programmer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced. ï‚¢ A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software. ï‚¢ A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence
LEGALITY OF USING LOGS  If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect.  In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization.  An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order.
LEGALITY OF USING LOGS ï‚¢ The original copies of any log files are preferred. ï‚¢ A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped computers that have USB or SCSI interfaces.
EXAMINING INTRUSION AND SECURITY EVENTS ï‚¢ Examining intrusion and security events includes both passive and active tasks. ï‚¢ A detection of an intrusion that occurs after an attack has taken place is called a post-attack detection or passive intrusion detection. ï‚— In these cases, the inspection of log files is the only medium that can be used to evaluate and rebuild the attack techniques. ï‚— Passive intrusion detection techniques usually involve a manual review of event logs and application logs. ï‚— An investigator can inspect and analyze event log data to detect attack patterns.
EXAMINING INTRUSION AND SECURITY EVENTS ï‚¢ There are many attack attempts that can be detected as soon as the attack takes place. ï‚¢ This type of detection is known as active intrusion detection. ï‚— Using this method, an administrator or investigator follows the footsteps of the attacker and looks for known attack patterns or commands, and blocks the execution of those commands.
INTRUSION DETECTION ï‚¢ Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data. ï‚¢ There are various types of intrusions, including unauthorized access to files and systems, worms, Trojans, computer viruses, buffer overflow attacks, application redirection, and identity and data spoofing. ï‚¢ Intrusion attacks can also appear in the form of denial of service, and DNS, e-mail, content, or data corruption. ï‚¢ Intrusions can result in a change of user and file security rights, installation of Trojan files, and improper data access. ï‚¢ Administrators use many different intrusion detection techniques, including evaluation of system logs and settings, and deploying firewalls, antivirus software, and specialized intrusion detection systems. ï‚¢ Administrators should investigate any unauthorized or malicious entry into a network or host.
USING MULTIPLE LOGS AS EVIDENCE ï‚¢ Recording the same information in two different devices makes the evidence stronger. ï‚¢ Logs from several devices collectively support each other. ï‚¢ Firewall logs, IDS logs, and TCPDump output can contain evidence of an Internet user connecting to a specific server at a given time.
MAINTAINING CREDIBLE IIS LOG FILES ï‚¢ Many network administrators have faced serious Web server attacks that have become legal issues. ï‚¢ Web attacks are generally traced using IIS logs. ï‚¢ Investigators must ask themselves certain questions before presenting IIS logs in court, including: ï‚— What would happen if the credibility of the IIS logs was challenged in court? ï‚— What if the defense claims the logs are not reliable enough to be admissible as evidence? ï‚¢ An investigator must secure the evidence and ensure that it is accurate, authentic, and accessible. ï‚¢ In order to prove that the log files are valid, the investigator needs to present them as acceptable and dependable by providing convincing arguments, which makes them valid evidence.
LOG FILE ACCURACY ï‚¢ The accuracy of IIS log files determines their credibility. ï‚¢ Accuracy here means that the log files presented before the court of law represent the actual outcome of the activities related to the IIS server being investigated. ï‚¢ Any modification to the logs causes the validity of the entire log file being presented to be suspect.
LOGGING EVERYTHING  In order to ensure that a log file is accurate, a network administrator must log everything.  Certain fields in IIS log files might seem to be less significant, but every field can make a major contribution as evidence.  Therefore, network administrators should configure their IIS server logs to record every field available.  IIS logs must record information about Web users so that the logs provide clues about whether an attack came from a logged-in user or from another system.  Consider a defendant who claims a hacker had attacked his system and installed a back-door proxy server on his computer. The attacker then used the back-door proxy to attack other systems.  In such a case, how does an investigator prove that the traffic came from a specific user’s Web browser or that it was a proxied attack from someone else?
EXTENDED LOGGING IN IIS SERVER ï‚¢ Limited logging is set globally by default, so any new Web sites created have the same limited logging. An administrator can change the configuration of an IIS server to use extended logging. ï‚¢ The following steps explain how to enable extended logging for an IIS Web/FTP server and change the location of log files: ï‚— Run the Internet Services Manager. ï‚— Select the properties on the Web/FTP server. ï‚— Select the Web site or FTP site tab. ï‚— Check the Enable Loggingcheck box. ï‚— Select W3C Extended Log File Formatfrom the drop-down list. ï‚— Go to Properties.
EXTENDED LOGGING IN IIS SERVER ï‚¢ Click the Extended Properties tab, and set the following properties accordingly: ï‚— Client IP address ï‚— User name ï‚— Method ï‚— URI stem ï‚— HTTP status ï‚— Win32 status ï‚— User agent ï‚— Server IP address ï‚— Server port ï‚¢ Select Daily for New Log Time Period below the general Properties tab.
EXTENDED LOGGING IN IIS SERVER ï‚¢ Select Use local time for file naming and overturn. ï‚¢ Change the log file directory to the location of logs. ï‚¢ Ensure that the NTFS security settings have the following settings: ï‚— Administrators - Full Control ï‚— System - Full Contro
KEEPING TIME ï‚¢ With the Windows time service, a network administrator can synchronize IIS servers by connecting them to an external time source. ï‚¢ Using a domain makes the time service synchronous to the domain controller. A network administrator can synchronize a standalone server to an external time source by setting certain registry entries: Key: HKLMSYSTEMCurrentControlSetServicesW32TimeParameters Setting: Type Type: REG_SZ Value: NTP Key: HKLMSYSTEMCurrentControlSetServicesW32TimeParameters Setting: NtpServer Type: REG_SZ Value: ntp.xsecurity.com
UTC TIME ï‚¢ IIS records logs using UTC time, which helps in synchronizing servers in multiple zones. ï‚¢ Windows offsets the value of the system clock with the system time zone to calculate UTC time. ï‚¢ To check whether the UTC time is correct, a network administrator must ensure that the local time zone setting is accurate. ï‚¢ The network administrator must verify that during the process IIS is set to roll over logs using local time

Recommended

Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensicsPrince Boonlia
 

Recommended

Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensicsPrince Boonlia
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics pptRoshiniVijayakumar1
 
Virtual Machine Forensics
Virtual Machine ForensicsVirtual Machine Forensics
Virtual Machine Forensicsprimeteacher32
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Network Forensics
Network ForensicsNetwork Forensics
Network ForensicsAndrea Lazzarotto
 
Network Forensics
Network ForensicsNetwork Forensics
Network ForensicsConferencias FIST
 

More Related Content

What's hot

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Virtual Machine Forensics
Virtual Machine ForensicsVirtual Machine Forensics
Virtual Machine Forensicsprimeteacher32
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 

What's hot (20)

Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
Cyber forensics ppt
Cyber forensics pptCyber forensics ppt
Cyber forensics ppt
 
Virtual Machine Forensics
Virtual Machine ForensicsVirtual Machine Forensics
Virtual Machine Forensics
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
Incident response
Incident responseIncident response
Incident response
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 

Viewers also liked

Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
Network Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GNetwork Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GSavvius, Inc
 
Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?loglogic
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
T2 7 Chappell Network Forensics
T2 7 Chappell Network ForensicsT2 7 Chappell Network Forensics
T2 7 Chappell Network ForensicsPramod Sana
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...boundary_slides
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.cnetworks
 
Analysis of (unknown) file formats
Analysis of (unknown) file formatsAnalysis of (unknown) file formats
Analysis of (unknown) file formatsMario Suvajac
 
Anatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineAnatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineMario Suvajac
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Digital detective game
Digital detective gameDigital detective game
Digital detective gameBill Carver
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
Activity 6 home project - ppt presentation sample
Activity 6 home project - ppt presentation sampleActivity 6 home project - ppt presentation sample
Activity 6 home project - ppt presentation sampleGuilherme Pedro da Silva
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 

Viewers also liked (20)

Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
Network Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10GNetwork Forensics - Your Only Choice at 10G
Network Forensics - Your Only Choice at 10G
 
Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
T2 7 Chappell Network Forensics
T2 7 Chappell Network ForensicsT2 7 Chappell Network Forensics
T2 7 Chappell Network Forensics
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
 
Analysis of (unknown) file formats
Analysis of (unknown) file formatsAnalysis of (unknown) file formats
Analysis of (unknown) file formats
 
Anatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition EngineAnatomy of File Analysis and Decomposition Engine
Anatomy of File Analysis and Decomposition Engine
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques Workshop
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Digital detective game
Digital detective gameDigital detective game
Digital detective game
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
Activity 6 home project - ppt presentation sample
Activity 6 home project - ppt presentation sampleActivity 6 home project - ppt presentation sample
Activity 6 home project - ppt presentation sample
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 

Similar to NETWORK FORENSICS: INVESTIGATING LOGS FOR EVIDENCE

CyberSecurity Assignment.pptx
CyberSecurity Assignment.pptxCyberSecurity Assignment.pptx
CyberSecurity Assignment.pptxVinayPratap58
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxSUBHI7
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]Phil Huggins FBCS CITP
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical HackingSripati Mahapatra
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collectiongagan deep
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
Intrusion detection system IDS
Intrusion detection system IDSIntrusion detection system IDS
Intrusion detection system IDSMAURICE NTAHOBARI
 
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An AnalysisSecurity Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysisdadkhah077
 

Similar to NETWORK FORENSICS: INVESTIGATING LOGS FOR EVIDENCE (20)

CyberSecurity Assignment.pptx
CyberSecurity Assignment.pptxCyberSecurity Assignment.pptx
CyberSecurity Assignment.pptx
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
 
First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]First Responders Course - Session 4 - Forensic Readiness [2004]
First Responders Course - Session 4 - Forensic Readiness [2004]
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Network and web security
Network and web securityNetwork and web security
Network and web security
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
IT forensic
IT forensicIT forensic
IT forensic
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Unit v
Unit vUnit v
Unit v
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
 
Intrusion detection system IDS
Intrusion detection system IDSIntrusion detection system IDS
Intrusion detection system IDS
 
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An AnalysisSecurity Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
 

More from anilinvns

Data center maintenance
Data center maintenanceData center maintenance
Data center maintenanceanilinvns
 
Windows Server 2012
Windows Server 2012Windows Server 2012
Windows Server 2012anilinvns
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directoryanilinvns
 
Booting Process OS
Booting Process OSBooting Process OS
Booting Process OSanilinvns
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policiesanilinvns
 
VIRTUAL LANS
VIRTUAL LANSVIRTUAL LANS
VIRTUAL LANSanilinvns
 
LAYER 2 SWITCHING
LAYER 2 SWITCHINGLAYER 2 SWITCHING
LAYER 2 SWITCHINGanilinvns
 
ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)anilinvns
 
IP ROUTING
IP ROUTINGIP ROUTING
IP ROUTINGanilinvns
 
INTRODUCTION TO IOS AND CISCO ROUTERS
INTRODUCTION TO IOS AND CISCO ROUTERSINTRODUCTION TO IOS AND CISCO ROUTERS
INTRODUCTION TO IOS AND CISCO ROUTERSanilinvns
 
Manage CISCO IOS
Manage CISCO IOSManage CISCO IOS
Manage CISCO IOSanilinvns
 
Day 5 VIRTUAL LANS
Day 5 VIRTUAL LANSDay 5 VIRTUAL LANS
Day 5 VIRTUAL LANSanilinvns
 
Day 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGDay 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGanilinvns
 
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)anilinvns
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTINGanilinvns
 
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERSDay 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERSanilinvns
 
Day 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOSDay 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOSanilinvns
 
Disk management server
Disk management serverDisk management server
Disk management serveranilinvns
 
Windows 2008 basics
Windows 2008 basicsWindows 2008 basics
Windows 2008 basicsanilinvns
 

More from anilinvns (20)

Data center maintenance
Data center maintenanceData center maintenance
Data center maintenance
 
Windows Server 2012
Windows Server 2012Windows Server 2012
Windows Server 2012
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
 
Booting Process OS
Booting Process OSBooting Process OS
Booting Process OS
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policies
 
VIRTUAL LANS
VIRTUAL LANSVIRTUAL LANS
VIRTUAL LANS
 
LAYER 2 SWITCHING
LAYER 2 SWITCHINGLAYER 2 SWITCHING
LAYER 2 SWITCHING
 
ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
 
IP ROUTING
IP ROUTINGIP ROUTING
IP ROUTING
 
INTRODUCTION TO IOS AND CISCO ROUTERS
INTRODUCTION TO IOS AND CISCO ROUTERSINTRODUCTION TO IOS AND CISCO ROUTERS
INTRODUCTION TO IOS AND CISCO ROUTERS
 
Manage CISCO IOS
Manage CISCO IOSManage CISCO IOS
Manage CISCO IOS
 
Day 5 VIRTUAL LANS
Day 5 VIRTUAL LANSDay 5 VIRTUAL LANS
Day 5 VIRTUAL LANS
 
Day 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGDay 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHING
 
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTING
 
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERSDay 1 INTRODUCTION TO IOS AND CISCO ROUTERS
Day 1 INTRODUCTION TO IOS AND CISCO ROUTERS
 
Day 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOSDay 6 - Manage CISCO IOS
Day 6 - Manage CISCO IOS
 
Wds
WdsWds
Wds
 
Disk management server
Disk management serverDisk management server
Disk management server
 
Windows 2008 basics
Windows 2008 basicsWindows 2008 basics
Windows 2008 basics
 

Recently uploaded

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 

Recently uploaded (20)

9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 

NETWORK FORENSICS: INVESTIGATING LOGS FOR EVIDENCE

  • 2. AGENDA OF DAY ï‚¢ Look for evidence ï‚¢ Perform an end-to-end forensic investigation ï‚¢ Use log files as evidence ï‚¢ Evaluate log file accuracy and authenticity ï‚¢ Understand the importance of audit logs ï‚¢ Understand syslog ï‚¢ Understand Linux process accounting ï‚¢ Configure Windows logging ï‚¢ Understand NTP
  • 3. KEY TERM ï‚¢ Intrusion detection the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data ï‚¢ Network Time Protocol (NTP) an Internet standard protocol that is used to synchronize the clocks of client computers
  • 4. NETWORK FORENSICS ï‚¢ Network forensics is the capturing, recording, and analysis of network events in order to discover the source of security attacks. ï‚¢ An investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis
  • 5. ANALYZING NETWORK DATA ï‚¢ An investigator needs to perform network forensics to determine the type of an attack over a network and to trace out the culprit. ï‚¢ The investigator needs to follow proper investigative procedures so that the evidences recovered during investigation can be produced in a court of law. ï‚¢ Network forensics can reveal the following information: ï‚— How an intruder entered the network ï‚— The path of intrusion ï‚— The intrusion techniques an attacker used ï‚— Traces and evidence
  • 6. THE INTRUSION PROCESS Network intruders can enter a system using the following methods: Enumeration: ï‚— Enumeration is the process of gathering information about a network that may help an intruder attack the network. ï‚— Enumeration is generally carried out over the Internet. The following information is collected during enumeration: • Topology of the network • List of live hosts • Network architecture and types of traffic (for example, TCP, UDP, and IPX) • Potential vulnerabilities in host systems
  • 7. LOOKING FOR EVIDENCE Vulnerabilities: ï‚— An attacker identifies potential weaknesses in a system, network, and elements of the network and then tries to take advantage of those vulnerabilities. ï‚— The intruder can find known vulnerabilities using various scanners. ï‚¢ Viruses: Viruses are a major cause of shutdown of network components. A virus is a software program written to change the behavior of a computer or other device on a network, without the permission or knowledge of the user. ï‚¢ Trojans: Trojan horses are programs that contain or install malicious programs on targeted systems. These programs serve as back doors and are often used to steal information from systems.
  • 8. CONT.. ï‚¢ E-mail infection: The use of e-mail to attack a network is increasing. An attacker can use e-mail spamming and other means to flood a network and cause a denial-of-service attack ï‚¢ Router attacks: Routers are the main gateways into a network, through which all traffic passes. A router attack can bring down a whole network. ï‚¢ Password cracking: Password cracking is a last resort for any kind of attack.
  • 9. LOOKING FOR EVIDENCE ï‚¢ An investigator can find evidence from the following: ï‚— From the attack computer and intermediate computers: This evidence is in the form of logs, files, ambient data, and tools. ï‚— From firewalls: An investigator can look at a firewall’s logs. If the firewall itself was the victim, the investigator treats the firewall like any other device when obtaining evidence. ï‚— From internetworking devices: Evidence exists in logs and buffers as available.
  • 10. LOOKING FOR EVIDENCE ï‚— From the victim computer: An investigator can find evidence in logs, files, ambient data, altered configuration files, remnants of Trojaned files, files that do not match hash sets, tools, Trojans and viruses, stored stolen files, Web defacement remnants, and unknown file extensions.
  • 11. END-TO-END FORENSIC INVESTIGATION ï‚¢ An end-to-end forensic investigation involves following basic procedures from beginning to end. ï‚¢ The end-to-end concept: An end-to-end investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked. ï‚¢ Locating evidence: Once an investigator knows what devices were used during the attack, he or she can search for evidence on those devices. The investigator can then analyze that evidence to learn more about the attack and the attacker.
  • 12. END-TO-END FORENSIC INVESTIGATION ï‚¢ Pitfalls of network evidence collection: Evidence can be lost in a few seconds during log analysis because logs change rapidly. Sometimes, permission is required to obtain evidence from certain sources, ï‚¢ such as ISPs. This process can take time, which increases the chances of evidence loss. Other pitfalls ï‚¢ include the following: ï‚— An investigator or network administrator may mistake normal computer or network activity for attack activity. ï‚— There may be gaps in the chain of evidence. ï‚— Logs may be ambiguous, incomplete, or missing. ï‚— Since the Internet spans the globe, other nations may be involved in the investigation. This can create legal and political issues for the investigation.
  • 13. END-TO-END FORENSIC INVESTIGATION ï‚¢ Event analysis: After an investigator examines all of the information, he or she correlates all of the events and all of the data from the various sources to get the whole picture.
  • 14. LOG FILE AS EVIDENCE
  • 15. LEGALITY OF USING LOGS ï‚¢ The following are some of the legal issues involved with creating and using logs that organizations and investigators must keep in mind : ï‚¢ Logs must be created reasonably contemporaneously with the event under investigation. ï‚¢ Someone with knowledge of the event must record the information. In this case, a program is doing the recording; the record therefore reflects the a priori knowledge of the programmer and system administrator. ï‚¢ Logs must be kept as a regular business practice. ï‚¢ Random compilations of data are not admissible.
  • 16. LEGALITY OF USING LOGS ï‚¢ If an organization starts keeping regular logs now, it will be able to use the logs as evidence later. ï‚¢ A custodian or other qualified witness must testify to the accuracy and integrity of the logs. This process is known as authentication. The custodian need not be the programmer who wrote the logging software; however, he or she must be able to offer testimony on what sort of system is used, where the relevant software came from, and how and when the records are produced. ï‚¢ A custodian or other qualified witness must also offer testimony as to the reliability and integrity of the hardware and software platform used, including the logging software. ï‚¢ A record of failures or of security breaches on the machine creating the logs will tend to impeach the evidence
  • 17. LEGALITY OF USING LOGS ï‚¢ If an investigator claims that a machine has been penetrated, log entries from after that point are inherently suspect. ï‚¢ In a civil lawsuit against alleged hackers, anything in an organization’s own records that would tend to exculpate the defendants can be used against the organization. ï‚¢ An organization’s own logging and monitoring software must be made available to the court so that the defense has an opportunity to examine the credibility of the records. If an organization can show that the relevant programs are trade secrets, the organization may be allowed to keep them secret or to disclose them to the defense only under a confidentiality order.
  • 18. LEGALITY OF USING LOGS ï‚¢ The original copies of any log files are preferred. ï‚¢ A printout of a disk or tape record is considered to be an original copy, unless and until judges and jurors are equipped computers that have USB or SCSI interfaces.
  • 19. EXAMINING INTRUSION AND SECURITY EVENTS ï‚¢ Examining intrusion and security events includes both passive and active tasks. ï‚¢ A detection of an intrusion that occurs after an attack has taken place is called a post-attack detection or passive intrusion detection. ï‚— In these cases, the inspection of log files is the only medium that can be used to evaluate and rebuild the attack techniques. ï‚— Passive intrusion detection techniques usually involve a manual review of event logs and application logs. ï‚— An investigator can inspect and analyze event log data to detect attack patterns.
  • 20. EXAMINING INTRUSION AND SECURITY EVENTS ï‚¢ There are many attack attempts that can be detected as soon as the attack takes place. ï‚¢ This type of detection is known as active intrusion detection. ï‚— Using this method, an administrator or investigator follows the footsteps of the attacker and looks for known attack patterns or commands, and blocks the execution of those commands.
  • 21. INTRUSION DETECTION ï‚¢ Intrusion detection is the process of tracking unauthorized activity using techniques such as inspecting user actions, security logs, or audit data. ï‚¢ There are various types of intrusions, including unauthorized access to files and systems, worms, Trojans, computer viruses, buffer overflow attacks, application redirection, and identity and data spoofing. ï‚¢ Intrusion attacks can also appear in the form of denial of service, and DNS, e-mail, content, or data corruption. ï‚¢ Intrusions can result in a change of user and file security rights, installation of Trojan files, and improper data access. ï‚¢ Administrators use many different intrusion detection techniques, including evaluation of system logs and settings, and deploying firewalls, antivirus software, and specialized intrusion detection systems. ï‚¢ Administrators should investigate any unauthorized or malicious entry into a network or host.
  • 22. USING MULTIPLE LOGS AS EVIDENCE ï‚¢ Recording the same information in two different devices makes the evidence stronger. ï‚¢ Logs from several devices collectively support each other. ï‚¢ Firewall logs, IDS logs, and TCPDump output can contain evidence of an Internet user connecting to a specific server at a given time.
  • 23. MAINTAINING CREDIBLE IIS LOG FILES ï‚¢ Many network administrators have faced serious Web server attacks that have become legal issues. ï‚¢ Web attacks are generally traced using IIS logs. ï‚¢ Investigators must ask themselves certain questions before presenting IIS logs in court, including: ï‚— What would happen if the credibility of the IIS logs was challenged in court? ï‚— What if the defense claims the logs are not reliable enough to be admissible as evidence? ï‚¢ An investigator must secure the evidence and ensure that it is accurate, authentic, and accessible. ï‚¢ In order to prove that the log files are valid, the investigator needs to present them as acceptable and dependable by providing convincing arguments, which makes them valid evidence.
  • 24. LOG FILE ACCURACY ï‚¢ The accuracy of IIS log files determines their credibility. ï‚¢ Accuracy here means that the log files presented before the court of law represent the actual outcome of the activities related to the IIS server being investigated. ï‚¢ Any modification to the logs causes the validity of the entire log file being presented to be suspect.
  • 25. LOGGING EVERYTHING ï‚¢ In order to ensure that a log file is accurate, a network administrator must log everything. ï‚¢ Certain fields in IIS log files might seem to be less significant, but every field can make a major contribution as evidence. ï‚¢ Therefore, network administrators should configure their IIS server logs to record every field available. ï‚¢ IIS logs must record information about Web users so that the logs provide clues about whether an attack came from a logged-in user or from another system. ï‚¢ Consider a defendant who claims a hacker had attacked his system and installed a back-door proxy server on his computer. The attacker then used the back-door proxy to attack other systems. ï‚¢ In such a case, how does an investigator prove that the traffic came from a specific user’s Web browser or that it was a proxied attack from someone else?
  • 26. EXTENDED LOGGING IN IIS SERVER ï‚¢ Limited logging is set globally by default, so any new Web sites created have the same limited logging. An administrator can change the configuration of an IIS server to use extended logging. ï‚¢ The following steps explain how to enable extended logging for an IIS Web/FTP server and change the location of log files: ï‚— Run the Internet Services Manager. ï‚— Select the properties on the Web/FTP server. ï‚— Select the Web site or FTP site tab. ï‚— Check the Enable Loggingcheck box. ï‚— Select W3C Extended Log File Formatfrom the drop-down list. ï‚— Go to Properties.
  • 27. EXTENDED LOGGING IN IIS SERVER ï‚¢ Click the Extended Properties tab, and set the following properties accordingly: ï‚— Client IP address ï‚— User name ï‚— Method ï‚— URI stem ï‚— HTTP status ï‚— Win32 status ï‚— User agent ï‚— Server IP address ï‚— Server port ï‚¢ Select Daily for New Log Time Period below the general Properties tab.
  • 28. EXTENDED LOGGING IN IIS SERVER ï‚¢ Select Use local time for file naming and overturn. ï‚¢ Change the log file directory to the location of logs. ï‚¢ Ensure that the NTFS security settings have the following settings: ï‚— Administrators - Full Control ï‚— System - Full Contro
  • 29. KEEPING TIME ï‚¢ With the Windows time service, a network administrator can synchronize IIS servers by connecting them to an external time source. ï‚¢ Using a domain makes the time service synchronous to the domain controller. A network administrator can synchronize a standalone server to an external time source by setting certain registry entries: Key: HKLMSYSTEMCurrentControlSetServicesW32TimeParameters Setting: Type Type: REG_SZ Value: NTP Key: HKLMSYSTEMCurrentControlSetServicesW32TimeParameters Setting: NtpServer Type: REG_SZ Value: ntp.xsecurity.com
  • 30. UTC TIME ï‚¢ IIS records logs using UTC time, which helps in synchronizing servers in multiple zones. ï‚¢ Windows offsets the value of the system clock with the system time zone to calculate UTC time. ï‚¢ To check whether the UTC time is correct, a network administrator must ensure that the local time zone setting is accurate. ï‚¢ The network administrator must verify that during the process IIS is set to roll over logs using local time