Chapter 20 - 06 - Digital Evidence Sources to Support Forensic Investigation - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Module Flow
!* Understand the Fundamentals
!’ Digital Evidence
Digital Evidence Sources
to gi
Support Forensic
o Saneed
§
of Computer Forensics T
P Investigation
Investigation
———
——
h’\
h‘\
Understand Digital Evidence fl
/_/-'\\\. 07 Collecting the Evidence

Identify the Roles and /\
‘. Responsibilities of a Forensic ()
O @)
O. Securing the Evidence
Investigator
Investigator &
\

Understand the Forensic /
k/ Overview of Data
@4) Investigation Process and.\_/\/
@ \ / ‘ :mzx:f
Acquisition S
its Importance V‘ ‘

Discuss Various
Discuss Forensic
Various Forensic \-—/ Performing Evidence
Performing Evidence
Investigation Phases Analysis
L] L]

All Rights Reserved. Reproduction
Ights Reserved. Reproduction is| s Strictly Prohibited
Prohibited.

Digital Evidence Sources to Support Forensic Investigation
This sections discusses various sources of digital evidence that record user activities and can
provide useful information during forensic investigations.

Module 20 Page 2227 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence
Sources: Log Files

e Log files are system generated reports that contain information related to user activities or events that
occur in software applications, OSes, servers, or network communication

lication Logs
Logs

» Network logs record events related to » System log files (Syslog) provide details >» An application log records all events or
system or user activities such as of process success state, devices, actions generated during the runtime of
accessing a resource, performing warnings, system failures, debugs, an application
authentication, and details of errors, and alerts, etc. that contain
communication with remote hosts that critical information for investigatingan > These records can be investigated to
contain critical information such as IP incident identify the behavior of server and
addresses, date, timestamp, details of details of entities (who, when, and
request, and response messages how) accessing the server

Digital Evidence Sources: Log Files (Cont’d)
Security logs store data related to failed logins, passwords,
resources accessed and allocated, date/time, and user identity
that help investigators in tracking the events that led to the
incident

Web access logs record information such as IP address,
Web Access Logs date/time of a request, client ID, request type, status code,
and the application used to send the request

DNS logs record all activities on a server, including host
communications with spoofed IP, unexpected spikes, and
inconsistent DNS lookups, which can help investigators in
analyzing DNS conversions

Module 20 Page 2228 Certified Cybersecurity Technician Copyright © by EC-Council
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: Log Files (Cont’d)

Authentication
Dump Files SIP Logs
Logs

QQO Dump files are compressed O Authentication logs record the O Session Initiation Protocol (SIP)
versions of system log files that events that occur during the logs record details about
are recorded when a system authentication process such as connections that are established,
crashes or is turned off verifying and granting maintained, or disconnected for
unexpectedly permission to access a network applications used for
or any restricted resource communication such as live
O Processes, profiles, and other conferences, chats, and voice
security events are logged in this O These records help investigators calls
file; this information enables to identify malicious attempts O These logs contain information
security teams to identify the made by attackers such as request/response
reasons for unexpected messages, invitees, and
shutdowns or terminations acknowledgment that helps in
investigating illegal or suspicious
activities

Digital Evidence Sources: Log Files
Log files are system generated reports that contain information related to user activities or
events that occur in software applications, OSes, servers, or network communication. These
files contain important information that helps in analyzing the system or network performance
in case of failure or if improvements are required. Event logs contain data related to the
operations inside a system that can be later used to resolve problems. Transaction logs contain
details such as the type of transaction, time, and date. These logs play a vital role in incident
investigations.

Network Logs

All systems maintain logs that can be used to monitor and track the activities in a
network. Some network-connected resources such as firewalls, servers, routers, web
applications, OSes, and cloud-based systems generate log files. Network logs record
events related to the system or user activities such as accessing a resource, performing
authentication, and details of communication with remote hosts that contain critical
information such as IP addresses, date, timestamp, details of request, and response
messages. This information is critical while investigating an incident.

System Logs

The system log file (Syslog) records information related to system activities or events
occurring in an 0S, including sign in and sign out details as well as driver activities. It
contains details about errors and warnings that can be used by investigators to identify
the reasons behind an incident. Using these log files, security teams can monitor,
control, and troubleshoot a system. Each entry in the file contains a header and

Module 20 Page 2229 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

description about the event; these entries are classified as the process success state,
devices, warnings, system failures, debugs, errors, and alerts.
= Application Logs

An application log records all events or actions generated during the runtime of an
application. These records can be investigated to identify the behavior of the server and
details of entities accessing the server. These details include who, when, and how the
server is accessed by the entity/user. This information helps security professionals to
monitor the performance of the application and assists investigators to track the events
that led to a malicious incident. An application log contains log records that include
requests, events, audit trail, availability, and threats.

o A request log records each request made to access the application. These logs
include information such as the date/time of request, identity of the entity/user who
made the request, IP address, URL, and data contained in the request message.

o An audit trail records the changes made to the application data such as insert,
update, or delete. Audit trail logs are helpful to meet the policies and compliance
requirements.

o An availability log records errors and exceptions that cause unavailability or
disruption in the application. The information recorded in availability logs includes
slow responses, application errors, resource usage, and connectivity issues.

o A threat log records malicious events that may compromise the application security.
This log records information related to unauthorized access to restricted resources
or data, invalid input, and failed login attempts.
= Security Logs

A security log uses an audit trail (audit log) that records information related to security
activities. If any unauthenticated operation or procedure is observed, it is recorded by
the audit trail, which can be used to investigate and resolve the issue. Only the
administrator has permission to manage the security logs; additionally, the oldest
records are often updated by the new audit file. These security logs are expensive in
terms of analyzing, preventing (unauthorized activities), storing, and processing. They
store data related to failed logins, passwords, resources accessed and allocated,
date/time, and user identity that help investigators in tracking the events that led to the
incident.

= Web Access Logs

Web access logs include the valuable information stored by the webserver in a specific
location. These logs record all requests and responses between a client and server.
Almost all webservers are configured to store log data in the same format, called
Common Log Format (CLF), which facilitates log analysis. Each request from a client is
stored as a log that contains client data such as IP address, exact time and date of a
request, client ID, request type, status code, and application used to send the request.

Module 20 Page 2230 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Some webservers are configured to store logs with HTTP headers that contain web
pages, pictures, and related graphic features of a webpage.

The status code in a log determines the behavior of a server and its response to a
request. There are different types of status codes used in different situations; for
example, success codes range from 200, redirection codes range from 300, client error
codes range from 400, and server error codes from 500.
* DNS Logs
A domain name system (DNS) server contains information that enables users to obtain
the appropriate IP address of their respective websites. DNS servers manage and
process requests such as navigating from one page to another. A server manages the
configuration details and alerts clients in case of any change in the resource records or
zones. It records entries such as time, IP addresses, requests, response messages,
domain names, flags, and queries. DNS logs record and maintain data related to all
activities on the server, including host communications with spoofed IP, unexpected
spikes, and inconsistent DNS lookups, which can help investigators to analyze the DNS
conversions.

®* Dumep Files

Dump files are compressed versions of system log files that are recorded when a system
crashes or is turned off unexpectedly. Processes, profiles, and other security events are
logged in this file that enable security teams to identify the reasons for unexpected
shutdowns or terminations, which are mostly caused by errors or bugs. Using these
dump files, investigators can troubleshoot the software or OS issues.
= Authentication Logs

Authentication logs record events that occur during the authentication process such as
verifying and granting permission to access a network or any restricted resource
following an authentication policy regulation. These logs can be used to diagnose or
troubleshoot problems during authentication and modify the policy as required. If the
authentication process is compromised using brute force attacks, authentication logs
record these activities, which helps investigators in identifying the malicious attempts
made by attackers.

= Session Initiation Protocol (SIP) Logs
Session Initiation Protocol (SIP) logs record details about connections or sessions
established, maintained, or disconnected for applications used for communication such
as live conferences, chats, and voice calls. These logs contain information such as
request/response messages, invitees, and acknowledgment that helps in investigating
illegal or suspicious activities.

Module 20 Page 2231 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.