Table of Contents
In flagrante delicto or “caught in the act” is the ideal situation for every security officer, be it in the physical or in the electronic world. Why is it so utopian ?
- Good monitoring, logging, and data capture systems (SIEM, honeynet) that can provide needed information for a catch in real-time are not often implemented or used.
- Further and more important issues are the legal aspects, especially in Europe, where strong privacy and data protection regulations disallow monitoring of employees’ activities.
- The grab to forensic analysis tools is quasi inevitable. Computer systems are huge and complex, changing very rapidly and even on well monitored environments things can hide, alarms can be miss leading, etc.
These lectures provide an initiation for meeting challenges and establishing capbilities for these two areas: log management & digital forensics.
A fundamental problem with log management that occurs in many organizations is effectively balancing a limited quantity of log management resources with a continuous supply of log data. Log generation and storage can be complicated by several factors, including a high number of log sources; inconsistent log content, formats, and timestamps among sources; and increasingly large volumes of log data. Log management also involves protecting the confidentiality, integrity, and availability of logs. Another problem with log management is ensuring that security, system, and network administrators regularly perform effective analysis of log data.
Digital forensic techniques can be used for many purposes, such as investigating crimes and internal policy violations, reconstructing computer security incidents, troubleshooting operational problems, and recovering from accidental system damage. Practically every organization needs to have the capability to perform digital forensics. Without such a capability, an organization will have difficulty determining what events have occurred within its systems and networks, such as exposures of protected, sensitive data.
Course material and slides
|Log analysis and Digital Forensics||Lessons learned from the field and deep dive into good practice of log analysis, and general overview of digital forensics techniques, two key components of an efficient incident management system.|
References and further reading
|Log Management references:||*
Best Practices for Log Monitoring
* Guide to Computer Security Log Management (NIST-SP 800-92)
|Digital Forensics references:||*
Guide to Integrating Forensic Techniques into Incident Response (NIST-SP 800-86)
* Wietse Venema and Dan Farmer’s forensics page
* ENISA Digital Forensics Training and Material