Log Analysis

GIAC Certified Forensic Examiner Objective:

Host and Application Event Log Analysis

  • The candidate will demonstrate an understanding of the purpose of the various types of Windows event, service and application logs, and the forensic value that they can provide.

Overview

This lab is part of a series of lab exercises intended to support courseware for Forensics training. The development of this document is funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48.

Log analysis is an important task in digital forensic investigations. It can give insight to investigators about potential issues that caused a data breach. Operating systems and applications often document key events in logs. Logs can contain valuable information such as failed login attempts, significant operating system events, user administration events, web server events, and other pertinent information related to security on devices. Applications use logs to document key events and also can be used by the vendor to troubleshoot issues with the application.

OUTCOMES:

In this lab, you will learn to:

  1. Examine Windows Event Logs
  2. Examine Windows IIS Logs
  3. Examine Linux Log Files
Courses

Key terms and descriptions

Event Viewer
The Event Viewer keeps track of Windows Events. The three main logs within the Windows Event Viewer are the Application, Security, and System log.
auth_log
This log file tracks SSH, or Secure Shell, connections. It provides information such as IP addresses and date and time stamps. It also tracks other events related to security such as the creation of new user accounts and new group accounts.
access_log
This log file tracks HTTP, or Hyper Text Transfer Protocol, connections. It provides information such as IP addresses, user agents, and date and time stamps.
Internet Information System Logs
Internet Information System, or IIS, logs keep track of IP addresses and user agents of systems connecting to Windows servers running Internet services, such as File transfer Protocol (FTP) and World Wide Web (WWW).
psloglist
Part of the PsTools suite, this file can dump event log information. The tool can be downloaded here: http://download.sysinternals.com/files/PSTools.zip