Computer Forensics Exam 212-82 PDF

Summary

This document is a module on digital evidence sources used in forensic investigations. It details various sources of digital evidence, including log files, that record user activities and can provide useful information in forensic investigations.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow !* Understand the Fundamentals...

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow !* Understand the Fundamentals !’ Digital Evidence Digital Evidence Sources to gi Support Forensic o Saneed § of Computer Forensics T P Investigation Investigation ——— —— h’\ h‘\ Understand Digital Evidence fl /_/-'\\\. 07 Collecting the Evidence Identify the Roles and /\ ‘. Responsibilities of a Forensic () O @) O. Securing the Evidence Investigator Investigator & \ Understand the Forensic / k/ Overview of Data @4) Investigation Process and.\_/\/ @ \ / ‘ :mzx:f Acquisition S its Importance V‘ ‘ Discuss Various Discuss Forensic Various Forensic \-—/ Performing Evidence Performing Evidence Investigation Phases Analysis L] L] All Rights Reserved. Reproduction Ights Reserved. Reproduction is| s Strictly Prohibited Prohibited. Digital Evidence Sources to Support Forensic Investigation This sections discusses various sources of digital evidence that record user activities and can provide useful information during forensic investigations. Module 20 Page 2227 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Digital Evidence Sources: Log Files e Log files are system generated reports that contain information related to user activities or events that occur in software applications, OSes, servers, or network communication lication Logs Logs » Network logs record events related to » System log files (Syslog) provide details >» An application log records all events or system or user activities such as of process success state, devices, actions generated during the runtime of accessing a resource, performing warnings, system failures, debugs, an application authentication, and details of errors, and alerts, etc. that contain communication with remote hosts that critical information for investigatingan > These records can be investigated to contain critical information such as IP incident identify the behavior of server and addresses, date, timestamp, details of details of entities (who, when, and request, and response messages how) accessing the server Digital Evidence Sources: Log Files (Cont’d) Security logs store data related to failed logins, passwords, resources accessed and allocated, date/time, and user identity that help investigators in tracking the events that led to the incident Web access logs record information such as IP address, Web Access Logs date/time of a request, client ID, request type, status code, and the application used to send the request DNS logs record all activities on a server, including host communications with spoofed IP, unexpected spikes, and inconsistent DNS lookups, which can help investigators in analyzing DNS conversions Module 20 Page 2228 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Digital Evidence Sources: Log Files (Cont’d) Authentication Dump Files SIP Logs Logs QQO Dump files are compressed O Authentication logs record the O Session Initiation Protocol (SIP) versions of system log files that events that occur during the logs record details about are recorded when a system authentication process such as connections that are established, crashes or is turned off verifying and granting maintained, or disconnected for unexpectedly permission to access a network applications used for or any restricted resource communication such as live O Processes, profiles, and other conferences, chats, and voice security events are logged in this O These records help investigators calls file; this information enables to identify malicious attempts O These logs contain information security teams to identify the made by attackers such as request/response reasons for unexpected messages, invitees, and shutdowns or terminations acknowledgment that helps in investigating illegal or suspicious activities Digital Evidence Sources: Log Files Log files are system generated reports that contain information related to user activities or events that occur in software applications, OSes, servers, or network communication. These files contain important information that helps in analyzing the system or network performance in case of failure or if improvements are required. Event logs contain data related to the operations inside a system that can be later used to resolve problems. Transaction logs contain details such as the type of transaction, time, and date. These logs play a vital role in incident investigations. Network Logs All systems maintain logs that can be used to monitor and track the activities in a network. Some network-connected resources such as firewalls, servers, routers, web applications, OSes, and cloud-based systems generate log files. Network logs record events related to the system or user activities such as accessing a resource, performing authentication, and details of communication with remote hosts that contain critical information such as IP addresses, date, timestamp, details of request, and response messages. This information is critical while investigating an incident. System Logs The system log file (Syslog) records information related to system activities or events occurring in an 0S, including sign in and sign out details as well as driver activities. It contains details about errors and warnings that can be used by investigators to identify the reasons behind an incident. Using these log files, security teams can monitor, control, and troubleshoot a system. Each entry in the file contains a header and Module 20 Page 2229 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics description about the event; these entries are classified as the process success state, devices, warnings, system failures, debugs, errors, and alerts. = Application Logs An application log records all events or actions generated during the runtime of an application. These records can be investigated to identify the behavior of the server and details of entities accessing the server. These details include who, when, and how the server is accessed by the entity/user. This information helps security professionals to monitor the performance of the application and assists investigators to track the events that led to a malicious incident. An application log contains log records that include requests, events, audit trail, availability, and threats. o A request log records each request made to access the application. These logs include information such as the date/time of request, identity of the entity/user who made the request, IP address, URL, and data contained in the request message. o An audit trail records the changes made to the application data such as insert, update, or delete. Audit trail logs are helpful to meet the policies and compliance requirements. o An availability log records errors and exceptions that cause unavailability or disruption in the application. The information recorded in availability logs includes slow responses, application errors, resource usage, and connectivity issues. o A threat log records malicious events that may compromise the application security. This log records information related to unauthorized access to restricted resources or data, invalid input, and failed login attempts. = Security Logs A security log uses an audit trail (audit log) that records information related to security activities. If any unauthenticated operation or procedure is observed, it is recorded by the audit trail, which can be used to investigate and resolve the issue. Only the administrator has permission to manage the security logs; additionally, the oldest records are often updated by the new audit file. These security logs are expensive in terms of analyzing, preventing (unauthorized activities), storing, and processing. They store data related to failed logins, passwords, resources accessed and allocated, date/time, and user identity that help investigators in tracking the events that led to the incident. = Web Access Logs Web access logs include the valuable information stored by the webserver in a specific location. These logs record all requests and responses between a client and server. Almost all webservers are configured to store log data in the same format, called Common Log Format (CLF), which facilitates log analysis. Each request from a client is stored as a log that contains client data such as IP address, exact time and date of a request, client ID, request type, status code, and application used to send the request. Module 20 Page 2230 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Some webservers are configured to store logs with HTTP headers that contain web pages, pictures, and related graphic features of a webpage. The status code in a log determines the behavior of a server and its response to a request. There are different types of status codes used in different situations; for example, success codes range from 200, redirection codes range from 300, client error codes range from 400, and server error codes from 500. * DNS Logs A domain name system (DNS) server contains information that enables users to obtain the appropriate IP address of their respective websites. DNS servers manage and process requests such as navigating from one page to another. A server manages the configuration details and alerts clients in case of any change in the resource records or zones. It records entries such as time, IP addresses, requests, response messages, domain names, flags, and queries. DNS logs record and maintain data related to all activities on the server, including host communications with spoofed IP, unexpected spikes, and inconsistent DNS lookups, which can help investigators to analyze the DNS conversions. ®* Dumep Files Dump files are compressed versions of system log files that are recorded when a system crashes or is turned off unexpectedly. Processes, profiles, and other security events are logged in this file that enable security teams to identify the reasons for unexpected shutdowns or terminations, which are mostly caused by errors or bugs. Using these dump files, investigators can troubleshoot the software or OS issues. = Authentication Logs Authentication logs record events that occur during the authentication process such as verifying and granting permission to access a network or any restricted resource following an authentication policy regulation. These logs can be used to diagnose or troubleshoot problems during authentication and modify the policy as required. If the authentication process is compromised using brute force attacks, authentication logs record these activities, which helps investigators in identifying the malicious attempts made by attackers. = Session Initiation Protocol (SIP) Logs Session Initiation Protocol (SIP) logs record details about connections or sessions established, maintained, or disconnected for applications used for communication such as live conferences, chats, and voice calls. These logs contain information such as request/response messages, invitees, and acknowledgment that helps in investigating illegal or suspicious activities. Module 20 Page 2231 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser