As a Cyber security professional, collecting evidence is one of the most important aspects to do any investigation.
Without evidence, blanket statements won’t work.
What is evidence in the cyber security world?
Evidence can be in the form of logs, or screenshots, that have not been tampered with, a critical question is how the logs can be protected from tampering, are the logs can be presented in a court of law, think about this and do some research on this, may be worth talking to a lawyer.
Let’s examine various logs which we can take a look at for our investigation.
Every piece of software you use on your laptop or mobile device writes logs in some form and in some location.
Let’s deal with Windows operating system first at a basic level.
Windows writes the logs which can be viewed by the user in an application called Event Viewer, you can launch it from the start –> Run or just type event viewer in the windows search.
When you launch the event viewer, on the left pane you will see three broad categories Application, Security, and System.
If this is the first time you are looking at the event viewer, go ahead and take a look at these on your laptop.
If you are using a Linux or Mac OS system, then please refer to the below links to see the details.
Now having logs itself is not sufficient, we need to have the ability to understand the logs, for which you need to develop a basic understanding of the underlying platform, for example, if you are examining a Linux log file, at first the log lines might look like gibberish, maybe you can identify easy field items like date time, user names, system names, IP addresses, etc…
However, the more complex strings in the log files can be the error codes and other complex vocabularies of complex science thrown in by developers in the log files. please see an example below which mentions galileo exiting on signal 15, what does signal 15 mean? this requires further study or knowledge of the Linux operating system, the same applied to logs belonging to any other software like windows, Mac OS, or others.
Nov 21 08:05:57 Galileo exiting on signal 15
Before you start investigating an incident, you should do some planning to know what logs you need to collect, remember you need to have knowledge in pattern search in logs and an advanced ability to do analytics on the collected logs, for this you might need tools like notepad++, Excel or any other opensource text search and manipulation tools which you are comfortable with, to do an advanced search in the logs, you need to have the ability to write your own programs, now let’s discuss an example.
Scenario: Investigate whether a specific log file contains any malicious IP addresses.
Remember logs contain a lot of information, extracting required information from the log is like looking for a needle in a haystack.
for the above task choose whatever text search tool you need, the basic task is to look for IP addresses and then match them with a known database of malicious IP addresses.
I want you to comment on the approach you will have for this problem, assume you have IP addresses in a text file or in a SQL database.
Threat hunting can be active or passive, what does it mean active?
Active means, you are watching the live log data coming from different sources in a visual presentation via a log management application, based on your observation and analyzing the alerts thrown by the log management application you raise an alarm about an active current threat in the network or a potential one.
Passive means, you will be given a set of data containing log files and other information, and you will be given some pointers to identify the attack from the data, this is usually done for validation and training purposes, also for investigations after an incident happens.
The other tool you can use to document your work along with your programs and logs is called “Jupyter“, this requires an advanced understanding of the tool Jupyter and its usage of it, the link provided will help you to do that.