Nowadays, almost any kind of device generates some type of logs. At any point a scheduled or user-triggered action occurs, some type of logs are usually generated.
Although the main purpose of logs is debugging and troubleshooting, analyzing logs can also be important for digital forensic experts as they attempt to untangle what’s behind an incident or a digital crime.
There are many types of logs:
Analyzing them reveals what action has occurred, at what time, and who was using the device at the time of the incident.
As a digital forensics investigator, knowing the theoretical aspects of the subject matter is a good starting point.
Whereas, it’s not enough to just be equipped with the awareness, since it’s also important to put this knowledge to practice, and that’s why we’ve devised a practical guide to aid you during the investigation.
When focusing on the log forensics investigation, it’s really easy to fall into the trap of “going down the rabbit hole” without a structured methodology.
To avoid it, focus on collecting just the essential information to keep on track with the goals.
Conserving your time and resources
In other words, collect the kind of logs that are in some way connected to the incident, which also ensures that you will be working with the most relevant information when it’s time to move to the analysis stages of digital forensic investigation, thus conserving your time and resources.
Of course, making the right judgment call can be a challenging task, especially if you lack the necessary experience in this field. However, you should adopt the mentality of laser-focusing on the objective at hand.
It’s all about maximizing your efficiency.
Maximizing time efficiency is an important factor in every investigation.
Avoid general logs and focus on the ones that have to do with a user’s actions
In general, it’s a good idea to focus on collecting any kind of logs that have to do with a user’s actions, but don’t forget about checking various errors, warnings, security alerts, and so forth (in essence, anything that has to do with security or system errors).
The tools of the trade will make your job faster and easier
DRS by SalvationDATA was designed to help you extract data from any computer with just a single click. Then, you can utilize its investigative capacity to quickly search for the exact type of data you’re looking for.
It even works if the hard drive has been damaged.
Have you downloaded your free trial yet?
2. Store the data collected in a manner that is secure and compliant with the regulatory body
Therefore, it’s of vital importance to the log forensics investigation that you store the logs collected in a high-security environment protected by passwords and under a lock and key so no one can tamper with them.
In case you’ve decided to go wide and collect a wide batch of logs to analyze at a later point, do keep in mind that big data can occupy loads of HDD space, so make sure you have enough space to store them.
Otherwise, you might find yourself in a situation that calls for deleting some of the logs you’ve collected.
Log archiving – every country has a different regulatory body
Furthermore, you should also bear in mind that there might be a regulatory body that dictates how to go about archiving the logs.
To achieve it, always check for the presence of a relevant regulatory body in your country and make sure to stay compliant with their guidelines and policies.
It’s crucial to check whether the policy specifies any specific retention period and make your decision based on that.
Only choose the longer retention period if you have the resources to back up your decision. This is also a good option if you’re unsure how long the digital investigation process is going to take.
Another reason to pay close attention to how you store the logs you’ve extracted is to prove that they are genuine, which will make a lot of difference when the chain of custody has been taken care of.
To take name a few, encryption, time stamping, etc.
During the investigation, you must ensure full regulatory compliance.
3. Begin your investigation by following a clue
During the process of log forensics, there’s probably a giant pile of data in front of you, so don’t just check things mindlessly.
Instead, start with what you know and let the clues guide you.
Eventually, this will guide you down the road of discovery as you uncover the cause of the incident.
Ask questions like:
When did the incident occur?
If there are multiple devices involved, do you know which one you should check first?
What clues do you currently have? The username, IP address…?
Write them down.
If, for example, you have an exact time window of the attack, you can simply rule out all the logs that don’t match the criteria and narrow down your search to the valid ones.
If you know the username, that’s another filter you can use to narrow down your search even further.
4. Stick to a workflow
Optimizing the process of digital forensics comes down to creating a workflow that lets you focus on the essentials and not lose time trying to overthink things. This will lead you to the right answers in the quickest and most efficient manner possible.
Let’s make an assumption.
Have you received a report to guide you? This can give you some initial hints as to where you should begin your search.
If you uncover a clue, let it guide you and investigate further.
Think of it as developing your own system and refining it based on new variables that come into play.
Keep doing this until you get a clear overall picture of:
How the incident happened
Who’s behind it
What devices were involved
To better understand, let’s say you identified a user who had no business using a device:
Step 1: Follow the trail.
Step 2: Review everything they did
Step 3: If you lose the path in front of you, check whether the same user has an account on another device.
Step 4: Don’t forget to check all logs pertaining to that user, including system logs, security logs, and others.
Step 5: See if the same user compromised other devices too.
Focus your efforts on tracking down a suspicious user’s actions.
5. Stick to the best practices of writing an incident report
Before the log forensics investigation is complete, you’re going to need to write an incident report. While doing so, it’s important to follow the best industry practices and make sure to list every relevant piece of information you’ve discovered during the cyber forensics process.
You also have the option of sharing the report with those affected by the incident so they can identify the point of attack and bolster their cyber security defenses to ensure nothing similar ever happens again.
Don’t know how to write an incident report or don’t have the time to do it? If you need help, you can have it auto-generated by the right software such as SalvationDATA’s DRS that’s fully compliant with the legal standards.
By doing so, you will be able to utilize the manpower you have available to solve more cases rather than having to spend countless hours on bureaucracy.
Having the right log forensics tool can make all the difference
When you’re in the middle of a log forensics investigation, you don’t want to find yourself in a situation where you’d have to spend too much time and resources collecting and analyzing everything manually.
Wouldn’t it be nice if there was a way to automate the computer forensics process?