Log Forensics and “Original” Events

I did this fun presentation on log forensics (here) and the question of “original” (aka “native”, “raw”, “unmodified”) log events came up again. Since the early days of my involvement in SIEM and log management, this question generated a lot of delusions and just sheer idiocy. A lot of people spout stuff like “you need original logs in court” without having any knowledge about either logs or court – or forensics in general. Or, as I sometimes feel, even computers in general. 

So, WTH is an “original” event? Let’s explore this a bit. 

For example, let’s take Windows 7 Event Logs. Before you read further, without focusing too much on the real meaning of “original”, think what you’d consider an original event log record …

Is this original – the EVTX file itself:

Is this – an XML view via Event Viewer on the computer where the log is produced:

Is this – a “friendly” view in the same Event Viewer on the same “original” computer:

As you might know, the above view is actually enriched i.e. has new information added compared to the EVTX file. Does it break the originality?
What if the EVTX file is copied to another computer and then opened in an Event Viewer? It might look a bit different due to various ID dereference operation, and it might enrich the contents with slightly different information.

How about this – exported to CSV at another computer. Is this still original?

And what about the one that is converted to syslog in a similar fashion? What if, or horror, TABs are replaces with spaces?

So, what’s the lesson here?  Obsession about “original”, “native”, raw” logs is just not a useful pursuit and it dead-ends pretty quickly.

Instead, you need a clearly understood and documented path of all event records that unambiguously tracks all changes to event records (removals, addition of details, modifications of contents, new headers, etc), not fake and impossible quest for “originality.” For additional reference on trusting logs, check out what Eric Fitzerald wrote about log trust back in the days of his ownership of the Event Log.

Possibly related posts:

• Log Trustworthiness Hierarchy

New Honeynet Project Challenge (#7): Forensic Analysis of a Compromised Server

The plot? As usual:

A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

Are you up to the challenge? Here are the questions that need your answers:

• What service and what account triggered the alert? (1pt)
• What kind of system runs on targeted server? (OS, CPU, etc) (1pt)
• What processes were running on targeted server? (2pts)
• What are attackers IP and target IP addresses? (2pts)
• What service was attacked? (1pt)
• What attacks were launched against targeted server? (2pts)
• What flaws or vulnerabilities did he exploit? (2pts)
• Were the attacks successful? Did some fail? (2pts)
• What did the attacker obtain with attacks? (2pts)
• Did the attacker download files? Which ones? Give a quick analysis of those files. (3pts)
• What can you say about the attacker? (Motivation, skills, etc) (2pts)
• Do you think these attacks were automated? Why? (1pt)
• What could have prevented the attacks? (2pts)

  Bonus question: From memory image, can you say what network connections were opened and in which state ?

Get the information here (warning: even compressed, disk images are large) and start your investigation. As a reminder to beginners, be careful when handling untrusted files!

Possibly related posts:

• Fun Project Honeynet Log Challenge: Log Mysteries
• Project Honeynet “Log Mysteries” Challenge Lessons

Attending The Computer Forensics Show Oct 5-6 in Santa Clara, CA

So, next week I will be at The Computer Forensics Show in Santa Clara, CA and I got some discount codes to share, courtesy of the organizers. 50% off attendance code is: VIP50

Here is the info about the event:

WHEN: October 5-6, 2009

WHERE: Santa Clara Convention Center, Santa Clara, CA

PRESO HIGHLIGHTS:

"When No One Else Can": Data Recovery from a completely overwritten hard drive. Sample Forensic recovery from over written drive from Turkish assassination case, 2007 by Alfred Demirjian

eDiscovery in the Cloud: Policy, Technology and Security Requirements for SaaS Email Archiving  by Rick Dales, Proofpoint.

"Forensic" vs. "Forensically Sound" Electronic Data Collections?  by Jake Frazier, Esq., EMC Corp.

Challenges to Digital Forensic Evidence by Fred Cohen [A.C. - awesomeness alert! this will probably be awesome!]

E-Discovery: Why Most Enterprise Implementations Fail To Make The Grade by Kon Leong, ZL Technologies, Inc.

Computer Forensics Solutions in Trade Secret Matters by Don Vilfer, JD, CFE, Califorensics

10 Biggest Mistakes of a Data Breach (panel) by Christopher Hague, VeriSIgn, Inc; M. Peter Adler, Esq, Pepper Hamilton, LLP; Anne Buchanan – APR,Buchanan Public Relations, LLP

Forensic Accounting – How to Uncover Fraud by Richard C. Hermerding, MBA, MA, MSIS, CMA, CFM, CFE, CFS, OLIVO-CPA

Understanding Credit Card Theft – A Practical Approach by Harshul Joshi, CBIZ MHM, LLC

The Security Data Dilemma: A Data Warehouse Approach to Improve Security by Bruno Kurtic, SenSage

E-banking Fraud Schemes: Attack Trends and Defenses by Kevin Donovan, VASCO Data Security

Detecting Zero-day and Polymorphic Malware in the Enterprise by Greg Hoglund, HBGary, Inc.

Network Forensic Investigations: Establishing Probable Cause by Eric Knight, LogRhythm, Inc.

… and many, many others.

See you there!

Presentation from GOVCERT.NL 2008: Log Forensics

While I am too busy too blog [I will explain why soon!], I wanted to give my readers some fun logging and security stuff to read.

So, I am releasing one of my favorite presentations, the one on log forensics, in its newest expanded form: "Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008"

Here it is also embedded below:

Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008

View SlideShare presentation or Upload your own. (tags: chuvakin response)

Enjoy!

Possibly related:

• All my presentations on slideshare
• My speaking ops (past and future)
  

Watch This Trend!

Fun - well, sort, of! :-) - read: "Corporate Compliance: A Convergence With Electronic Discovery" (full version here - even though it devolves into the ad closer to the end)

Keep in mind that some surveys by ESG Group say that logs are requested in 74% of e-discovery case. It might well be that e-discovery will power the next (or the one after next!) compliance wave.

New Paper: "Computer forensics in the age of compliance"

Another one of my "... in the age of compliance" papers published here. A quote: "In previous articles, I've discussed log management and incident response in the age of compliance. It's time to cover a separate topic that has connections to both log analysis and incident management, but is different enough to justify its own article: digital forensics."

Others are linked below:

• Intrusion detection in the age of compliance
• Log management in the age of compliance
• Incident management in the age of compliance

Log Forensics in the News

This fun piece from "Network Computing" reminds everybody that forensics is not only about "surfing for porn" on somebody else's hard disk. It is also about logs! In fact, looking at logs before looking at disk images is so darn sensible that few people actually do it :-)

UPDATE: also featured here with this fun quote: "Log analysis in particular has long been a thorn in IT's side. Either you tried hard to forget that terabyte or so of raw log data just sitting there, or you paid through the nose for a security information manager. Now, affordable log analyzers are available from companies like LogLogic"

On Assurance vs Indication

Yes, this will tell the whole world how behind am I am blogging, but so be it :-) So, I wanted to respond to Rob's comments related to e-discovery here. So, Rob says: "In a nutshell, it [A.C. - e-discovery] is the process of collecting, searching, preserving and analysing digital information. [...] And there are some real security issues here: 1) If I have collected information from a system, how do I know that information hasn't already changed en route to collection? " [2-5 skipped, see the original post]

He then concludes with "So who's interested in this? Well, apparently not the real security guys" which is obviously absurd.

In reality, e-discovery is moderately hot and doing it better and more secure is of interest to vendors (more) and customers (less). However, there are perfectly good solution to the "issues" Rob brings, which kinda makes them not issues, really :-) Specifically:

1. "If I have collected information from a system, how do I know that information hasn't already changed en route to collection?" Anton: encrypt it in transit; SSL, SSH work.
   
2. "How do I know it hasn't been seen and manipulated, or copied?" Anton: encrypt + hash it in storage; SSL, SSL work too.
3. "Between collection and searching, how do I know the index hasn't changed, and therefore the information I am now looking at is redundant?" Anton: log all access to system, check the access logs before searching. if you have doubts, reindex. Index is dynamic so you cannot checksum it.
4. "How can I preserve information without it becoming prohibitively expensive?" Anton: burn a DVD! Or use one of those funky EMC or NetApp WORM storage boxes.
5. "When I want to analyse this information, how do I know I'm analysing the right things?" Anton: this one is up to you :-)
   

At the same time, e-discovery is a little like forensics, you absolutely don't need it until the moment you can't live without it. Maybe this pushes the interest to dedicated e-discovery technologies down a bit?

Interesting Forensics and Logging Presentations from DFRWS

Some fun reading material here: DFRWS 2007 preso and papers. A few fun pieces on logs to, specifically

• "Introducing the Microsoft Vista Log File Format. Andreas Schuster. (paper)
• Automated Windows Event Log Forensics. Rich Murphey. (paper)
• Analyzing Multiple Logs for Forensic Evidence. Ali Reza Arasteh, Mourad Debbabi, Assaad Sakha, and Mohamed Saleh. (paper)"

Read on!

Another Presentation: Logs for Information Assurance and Forensics @ USMA

Here is my old presentation "Logs for Information Assurance and Forensics" that I gave at USMA, West Point last year when I was giving a lecture there.

Windows Log Analysis for Incident Response

A few tips on Windows event log analysis for forensics, including looking at AV logs, timing events, etc.

I especially liked this bit, which I didn't know before: "Event ID 35 (Source: W32Time) is an Information event that tells you that your system is sync'ing with a time server, and provides the IP address of your system. This can be very useful in a DHCP environment, as it tells you the IP address assigned to the system (actually, the interface) at a particular date and time."

Another Vanity Post: A Fun Interview With Me on Log Forensics

Here is an audio interview that I gave while at CONFidence 2007 earlier this year (my presentation).

My Presentation from CONFidence 2007 /Teaser/ Posted

Here is a teaser version of my CONFidence 2007 presentation "Log Forensics" Enjoy! It did get some rave reviews (in Polish :-)) I will certainly be speaking more about log forensics as it seems to be of great interest to many people and there is some confusion about what it is.