Looking for clues



IN any computer security incident like intrusion, web page defacement, data leaks, and other type of hacking that results in a system compromise, the biggest challenge to determine the who, what, when, and why of the unfortunate event is the search for digital data that hopefully will yield clues.

As this is an after-the-fact scenario, computer forensic investigators are usually left with very scarce data needed to trace the root cause. And if the perpetrators are very skilled, most if not all of the ‘tracks’ they left behind will most likely be covered or erased as well.

There are so many places to look for data – PCs, servers, switches, routers, firewalls, intrusion detection systems are among a few. However, there is a specific type of data that all of these have in common – logs. Logs are the electronic list of all activities that the software or hardware has ever done. It is the diary, the record book, the journal of everything and anything. Logs are always the first thing that any investigator looks for and by the same token, any hacker or intruder will alter or erase.

Every hardware and software will have logs and it is good practice to always enable them and obtain the most details as much as possible. Sad to say, logs are usually turned off because organizations are wary of the storage space that they take up as they can be quite voluminous and if there are very little events, it will also have very little use. That is, until the big day comes and you got hit. Only then will you realize that there is no information to look back to. Storage has become very cheap and today, cost of disk space should not be an issue anymore.

The smart hacker would either alter or delete the logs so you better have a backup plan for this. As the logs are stored in the individual devices and these same devices are the ones that usually gets compromised, it is wise to have the logs be transmitted to a well-protected and properly backed-up Central Log Server. The log servers don’t have to be powerful ones, just with big hard disk storage capacity. Also, you need to configure the type of logs that you would get to be as ‘verbose’ as possible – meaning the mode that it yields more information. Logs are the first thing you go back to whenever an incident happens.

Getting the logs is one thing, interpreting them is another. In the old days, you really had to acquire very intelligent and senior security analysts to sift through the thousands (sometimes even more) of log entries and be keen enough to spot what is out of the ordinary. Fortunately, today there is what is known as the security incident and event manager, or SIEM. The SIEM is a system which correlates the logs from the various hardware and software and depending on the rules that were set will furnish the security analyst with possible security incidents. Of course, there is still a certain degree of analysis and verification needed to weed out false positives.

Another source of clues, albeit a more expensive one, is storing the network traffic itself. The raw data communications, the bits and bytes of data passing on the wire. Obviously, this will require more storage capacity as you are now literally storing everything and not just creating a journal of events. This is the ultimate solution as all the details are recorded. There are even security systems that can reconstruct a security incident using the data gathered.

Unlike a murder scene and medical forensics, digital forensics can be made easier by setting yourself up to guarantee that you will have clues to work on. These two sources, logs and network traffic are two of the most reliable artifacts that can dramatically increase the probability of success of a digital investigation. The other being the data present in the computer’s and server’s volatile memory, or the data that is currently being processed in RAM or the computer’s scratch pad. There are tools to extract all of these as well. Another source are the actual files that may have been altered or replaced by the perpetrators so that they can run programs and applications to do their nefarious deeds. Vulnerability scanners are then needed to check if viruses, trojans, and rootkits are present in the system.

The most taxing and difficult part of an investigation is code analysis. In this method, one has to go through and analyze the actual programs present in the system and determine if any part was compromised or altered so as to manipulate its purpose and make it perform tasks that it wasn’t intended to do.

Nobody wants to be a victim, but as the saying in information security goes – “It’s not IF, it’s WHEN and HOW SEVERE.” Although beyond anybody’s control, anticipating that an attack will eventually happen is the mindset that any organization with critical information technology systems and assets must adopt. This will greatly increase awareness and instill a culture of consciousness. All of the ingredients necessary to achieve a pro-active state of mind.


Please follow our commenting guidelines.

Comments are closed.