Log Analysis with SANS SIFT


Apr 18, 2019
1
1
#1
I am fairly new to forensic but it's a very interesting Topic and you've got to start somewhere.
I recently downloaded and updated SANS SIFT (currently running in HyperV).
Just to get started I wanted to analyse my Firewall and OpenVPN Logs of the last 30 days.
Now I am looking for a tool to help me with this task - maybe filter the Logdata and point out
abnormalities or potential threats. I watched SANS SIFT tutorial videos and started reading the docs
but most of the time they analyse Memory Dumps or pcaps - but no "simple" log data.

(I searched the forum if somebody had this question before and I am starting to think, that I am missing
something fundamental - but as my teacher always said:"Better start asking question to the right people
or you'll stay just as stupid as you are" ... so here I am, asking stupid questions)

Best Regards
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#2
You're asking about analyzing logs ... what logs, more exactly, are you referring to? Windows event logs? Unix logs? Something else, specific to the type of firewall? (OpenVPN is specific enough.)

For education purposes, you are probably better off avoiding specific analysis tools. Instead find the documentation of the log format so that you know exactly what the log data means, and from there make up a list of forensic questions that you may face in a case involving this particular log. Things like: what external IP addresses have connected over the past month? What is 'normal' and what is 'abnormal' on this system? (for example: if the system sees a dozen port scans a day, a week without ant portscans at all might be abnormal.) What type of service were targets of connections (remote login? mail? database? Does one type of service stick out as a particularl target? or does one IP address stick out as being particularly persistent? Can you say if any of these connections are part of a port scanning? Is there any internal connections to remote addresses that are unusual? Have logging been on over the entire time, or are there holes in log coverage?... and so on. And also ... how do I extract the information? Is it in CVS format? XML? JSON? (Some programming skills are often useful here.)

Finding anomalies and threats could be done automatically, but ... you really have to know what the logs contain, and which of this information the tool actually uses. Once you have that, you may use the same logs as tests for any log analysis tools you are interest in: do they answer the same question that you have checked, and do they produce the same results?

If you are focussing only on automatic tools, start from the log type (Windows event? Cisco? Zyxel? ... etc.) and then research available products. I've worked mainly with commercial products -- and they tend to be expensive and often require some time and a steady supply of logs to really come to grips with. You might also look at tools like Logalyze, for example., and you can probably set up your own test environment where you do connect to the relevant target system in a way that is logged in order to get the connection between reality and log contents.

However ... this is not really a forensic topic. Log analysis in general falls more comfortably in general IT administration and management, and that's where I think you may find the best sources of information. The forensic application of log analysis is more a question of looking at the data or the reports with a forensic hat on.

(Added: It strikes me that learning the settings for the tool that produces the logs is also important: does it log everything by default? Or only those things that don't cause troublesome support cases? If you're examining a Unix system, say, just how does the local configuration split up log contents in different files? You need to know where the information you want is located, and that can change wildly with different sysadm practices.)
 
Last edited:

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu