Log Analysis for Digital Forensic Investigation

a. Introduction to Log Analysis

In this article, I will emphasize more on how to utilize log analysis for investigative purposes in digital forensic cases. In the case of log analysis, I group them into 2 main categories for log analysis which can be explored by a forensic investigator :

• Logs from Network Devices and Security Devices (Routers, Switches, IDS, Firewalls, Proxies, NGFW, WAF, etc)
• Logs from the Endpoint side (Server, Desktop, etc)

For this article, I will focus on log from the endpoint perspective.

Log analysis from the endpoint side, can be in the form of event log from the operating system, log from the application, log from the database, and others. Basically when an investigator doing the investigation in a security incident, the most frequently asked question is whether the log is still available, and if the answer is yes, what logs can be obtained from the system?

From the log file in general, an investigator will see an overview of the timeline of activities and events that occured on the endpoint side during the incident. Usually the method used by a digital forensic investigator is similar to what a detective does when doing in a crime scene. Digital forensic investigators will look at activities before a security incident happens to see what activities involve the threat actor and then collect the evidence.

But there is a condition when the digital forensic investigator is conducting an analysis, they will find a situation where threat actors have deleted or wiped the log to eliminate the tracks (covering tracks). For this reason, the importance of Log management is to aggregate logs from the endpoint (and other devices), to be integrated into devices such as Log management or SIEM, so that when there is removal of tracks or covering tracks from the threat actors who wiped from this log, investigators still can analyze the logs that have been aggregated to the SIEM / Log Management device.

b. Critical Log Review in DFIR Process

There are several log elements that are quite critical and are usually often become a concern for DFIR team who analyze a log of security incidents. Critical log review is usually an important log to highlight to find sources of information about the security incident that occurred.

Windows Operating System

• Application logs from event viewer.
• Security logs from event viewer.
• System logs from event viewer.

You can obtain the .evtx file in folder \Windows\System32\winevt\Logs\

Linux Operating System

• / var/log/message: For general message and everything related to the system
• /var/log/auth.log: Authentication logs
• /var/log/kern.log: Kernel logs
• /var/log/boot.log: System boot log
• /var log/utmp or /var/log/wtmp: Login records file

SANS Create a Cheat Sheet for Critical Security Log Review :

Critical Security Log Review

Talking about Log Analysis for the need for security incident investigations, it is not as simple as just looking at logs from endpoints such as event logs or syslogs, but it is also an art that must be repeatedly performed to understand the pattern of actor threats. The author intends to write more about attack analysis and security incident investigations that focus on the log as material for analysis.

In MII Cyber Security Consulting Services, we made a bunch of Critical Security Log for Review in DFIR :

List of Critical Security Log for Review during Incident

Quick Summary to be highlighted :

• Service Created, New Service Installed, Service Start, Service Stop : Usually related on Persistence Mechanism
• User Account Added, User Account Modified, Add User to Group : also related on persistence mechanism by attacker
• Clear Event Log : Usually related on Covering the Tracks
• Disable Firewall, Stop Security Services (such as AV, HIPS, other Endpoint Protection) : Related to Attacker activity for further movement
• Terminal Service Session : Related to Remote Access Activity user
• USB Log : Case incident like data theft, fraud, etc maybe need this kind of USB log to identify USB Storage access into system

For readers who are interested in learning more in detail about this Log Analysis, the following authors include some references and sources that can be very useful to use, especially when investigating security incidents :

1. https://www.malwarearchaeology.com/cheat-sheets/
   The URL above provides a variety of detailed information about the intricacies of the Log on the Windows Platform. You can get very valuable information there. The website author also includes a mapping between Windows Log with MITRE ATT&CK Framework where the ATT&CK is a Framework that studies TTPs (Tactic, Technique, and Procedure) from threat actors, so this makes it easier for investigators to understand how the thinking about the patterns are commonly used by Threat Actor, and where the source log / log location can be used as a reference for analyzing TTPs used by threat Actors
2. https://www.ultimatewindowssecurity.com/
   The above website is one of the author’s reference sources related to Event ID Widows. As we all know, there are a lot of Windows Event IDs and types for each of these Event IDs, so for those of you who have difficulty memorizing or often forgot for some Windows Event IDs that may not appear in the common log in the Windows Event Viewer, you can use that website as reference. The website above can be used as a reference to learn in more detail about the Windows Event ID and also they provides information in the form of a Cheat Sheet to pay attention to some Windows Event IDs that often correlate with the activities of threat actors / security incidents.
3. https://www.jpcert.or.jp/english/pub/sr/ir_research.html
   The URL above is the research from the JP CERT Team (Japan Computer Emergency Response Team) regarding the detection of Lateral Movement from Threat Actors using Event Logs. The research published by JP CERT is very interesting, especially focusing on the use of tools and TTPs used by threat actors when conducting Lateral Movement.
4. https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
   The website above provides a source of reference about Linux Logs that is noteworthy, especially for system administrators or Infosec Officers. The above reference is enough to help you to learn in more detail about the logs mentioned above to learn about activities that occur during a security incident.

That’s all my post about Log Analysis for Digital Forensic Investigation. Hopefully it will help you guys!

Happy Hacking!

References :

• https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
• https://stackify.com/linux-logs/
• https://thehackernews.com/2015/03/network-forensic-analysis.html
• https://resources.infosecinstitute.com/log-analysis-web-attacks-beginners-guide/#gref
• https://www.sans.org/brochure/course/log-management-in-depth/6
• https://www.malwarearchaeology.com/cheat-sheets/
• https://www.jpcert.or.jp/english/pub/sr/ir_research.html
• https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/
• https://www.sans.edu/cyber-research/security-laboratory/article/6toplogs