You have 3 free guides left 😟
Unlock your guides
Unlock Cram Mode
You have 3 free guides left 😟
Unlock your guides

15.3 Log Analysis and Evidence Collection

4 min readaugust 9, 2024

Log analysis and evidence collection are crucial components of incident response and forensic analysis. These processes involve examining various log types from systems, applications, and networks to identify security incidents and gather .

Effective log analysis techniques include using platforms, correlating events across multiple sources, and analyzing timestamps to reconstruct incident timelines. Evidence collection focuses on identifying indicators of compromise, preserving digital artifacts, and maintaining proper log retention policies to support investigations and legal requirements.

Log Types and Sources

System Logs: Operating System and Hardware Events

Top images from around the web for System Logs: Operating System and Hardware Events

  • Screenshot-System Logs kernel startup | fsse8info | Flickr View original

    Is this image relevant?

  • The ultime guide of linux logging | Linuxaria View original

    Is this image relevant?

  • Screenshot-System Logs kernel startup | fsse8info | Flickr View original

    Is this image relevant?

1 of 3

Top images from around the web for System Logs: Operating System and Hardware Events

  • Screenshot-System Logs kernel startup | fsse8info | Flickr View original

    Is this image relevant?

  • The ultime guide of linux logging | Linuxaria View original

    Is this image relevant?

  • Screenshot-System Logs kernel startup | fsse8info | Flickr View original

    Is this image relevant?

1 of 3
  • Kernel logs record low-level system events, driver issues, and hardware interactions
  • Boot logs capture system startup and shutdown sequences, including service initializations
  • Authentication logs track user login attempts, both successful and failed (SSH, console logins)
  • monitor overall system health, resource usage, and performance metrics
  • Security logs document changes to system configurations, file access, and permission modifications

Application Logs: Software-Specific Activities

  • Web server logs record HTTP requests, responses, and errors (Apache, Nginx)
  • Database logs track queries, transactions, and access attempts (MySQL, PostgreSQL)
  • Email server logs document message flow, delivery status, and spam filtering actions
  • Antivirus logs capture scan results, threat detections, and quarantine actions
  • Custom record specific events defined by developers for troubleshooting

Network Logs: Communication and Traffic Data

  • Firewall logs document allowed and blocked connections, including source and destination IPs
  • Intrusion Detection System (IDS) logs record suspicious network activities and potential attacks
  • Virtual Private Network (VPN) logs track remote access sessions and connection details
  • Domain Name System (DNS) logs capture domain resolution requests and responses
  • Dynamic Host Configuration Protocol (DHCP) logs record IP address assignments and lease information

Log Analysis Techniques

Security Information and Event Management (SIEM)

  • Centralized log collection aggregates data from multiple sources into a single platform
  • Real-time monitoring enables immediate detection of security incidents and anomalies
  • Automated alert generation notifies security teams of potential threats or policy violations
  • Log normalization standardizes data formats for consistent analysis across diverse sources
  • Data visualization tools create dashboards and reports for easy interpretation of complex log data
  • SIEM platforms often include machine learning capabilities for advanced threat detection

Log Correlation and Pattern Recognition

  • Event correlation links related log entries across multiple sources to identify attack patterns
  • Baseline analysis establishes normal behavior patterns to detect deviations and anomalies
  • Signature-based detection identifies known attack patterns and malware activities
  • Behavioral analysis examines user and system actions to detect insider threats or compromised accounts
  • Temporal correlation analyzes the sequence and timing of events to reconstruct incident timelines
  • Geographical correlation examines the origin and destination of network traffic for unusual patterns

Timestamp Analysis and Event Reconstruction

  • Log synchronization ensures accurate timing across multiple systems and time zones
  • Chronological ordering of events helps reconstruct the sequence of actions during an incident
  • Time window analysis focuses on specific periods to investigate suspected security breaches
  • Timestamp integrity verification detects potential log tampering or manipulation attempts
  • Daylight Saving Time (DST) adjustments account for time changes in log analysis
  • Cross-referencing timestamps with other data sources validates the accuracy of logged events

Evidence Collection

Indicators of Compromise (IoC) Identification

  • Network-based IoCs include suspicious IP addresses, domain names, and URL patterns
  • Host-based IoCs encompass malicious file hashes, registry keys, and process names
  • Behavioral IoCs involve unusual login patterns, data exfiltration attempts, and command executions
  • Threat intelligence feeds provide updated IoC lists for enhanced detection capabilities
  • IoC severity classification prioritizes investigation and response efforts
  • Automated IoC scanning tools rapidly search logs and systems for known indicators

Digital Artifact Collection and Preservation

  • Volatile data collection captures RAM contents, running processes, and network connections
  • Disk imaging creates bit-by-bit copies of storage devices for forensic analysis
  • Network traffic capture preserves full packet data for detailed communication analysis
  • Memory dumping extracts the contents of system memory for malware and rootkit detection
  • documentation ensures the integrity and admissibility of collected evidence
  • Write-blockers prevent accidental modification of original data during the collection process
  • Retention period determination balances storage costs with compliance and investigative needs
  • Data classification guides retention requirements based on the sensitivity of logged information
  • Encryption of archived logs protects sensitive data from unauthorized access
  • Access controls restrict log viewing and modification to authorized personnel only
  • Compliance requirements (GDPR, HIPAA) dictate specific log retention and handling practices
  • Legal hold procedures preserve relevant logs when litigation or investigations are anticipated
  • Log rotation and archiving strategies manage storage efficiently while maintaining accessibility
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Fiveable
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
Stay Connected
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Back
Glossary
Glossary
Next