Forensics Analysis Computer Network System

Computer Security Logs Forensics

  • Computer security logs contain information about the events occurring within an organization, system & network.
Security Logs category
Operating System Logs :- Logs of Operating system, Server, Workstation, Network devices. Application Logs :- Logs of application which are running on system Security Software logs :- Logs of network & host based security software.

Operating system Logs Forensics

  • operating system logs are most beneficial for identifying or investigation suspicious activities involving a particular host.
Event Logs :- Contains information about operational action performed by OS component. Audit logs :- Contains successful event information such as successful & ailed authentication attempts, file accesses, security policy changes & account changes.

Application Logs Forensics

  • Application logs consists of all the events logs by the programs
  • Events that are written to the application logs are determined by the developers of the software programs.
  • Common Log information
  1. Client request & server response
  2. Account Information
  3. Usage Information
  4. Significant Operational action

Security software Logs Forensics :- This is very important logs from investigation point of view.

  1. Antimalware Software
  2. IDS / IPS logs
  3. Remote access software
  4. web proxies
  5. Vulnerability Management Service / Software
  6. Authentication Server
  7. Router
  8. Firewalls
  9. Network Quarantine Server
  10. Antivirus logs

Router Log Files Forensics

  • Router stores log files in router cache
  • It is recommended to take bit stream image of router cache
  • It provides detailed information about the network traffic on the internet
  • it gives information about the attack o and from the networks

Linux Process Account Forensics

  • Linux process accounts track the commands that each user execute.
  • The process tracking logs /var/adm , /var/log , /usr/adm
  • The track files can be viewed with the lastcomn command
  • It enable process tracking with accton command or the startup (/usr/lib/acct/startup) command

Windows Log files Forensics

  • Windows log files are stored in %systemroot%\system32\winevt\logs\  (Log event that appears in security log)
  1. evtx
  2. etx
  3. evtx