Pau Lo
asked on
server logs for forensics and maintaining integrity
If you use logs from a windows server (i.e. windows logs, IIS logs) for an investigation as evidence, and you image the drive on the server where the logs are located using something like FTP Imager - how can you prove that image and those logs were as they were at the time of your acquisition, assuming in most cases you don't intend to take your server offline until your investigation is complete and image that way
I get the logic behind imaging and taking hash values for an offline PC where you image the HDD, as someone could re-image the drive and see the same hash value to prove its integrity - but for a live server how do you demonstrate the logs in your image were those on the server at the time you took an image of the drive? I dont understand how you can prove that as if the server stays online the logs are constantly being updated/overwrittedt?
I get the logic behind imaging and taking hash values for an offline PC where you image the HDD, as someone could re-image the drive and see the same hash value to prove its integrity - but for a live server how do you demonstrate the logs in your image were those on the server at the time you took an image of the drive? I dont understand how you can prove that as if the server stays online the logs are constantly being updated/overwrittedt?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'd do whatever the process requires. So if I was to prepare against abuse of some kind and had to develop a system, I'd ask a lawyer that is a specialist in the respective field what is considered "evidence" and then look for technical measures.
I don't think it is of any use to ask for best practices here. Ask a lawyer.
Even if the investigation was internal - the person that you accuse will be able to go to court.
I don't think it is of any use to ask for best practices here. Ask a lawyer.
Even if the investigation was internal - the person that you accuse will be able to go to court.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
pma, absent some compelling need for other evidence from the server, in the exact scenario you described my first thought would be to simply gather the logs from their source, as opposed to imaging a server to get them.
And since logs like you describe are indeed ever-changing, a hash-based proof scheme becomes tougher. Nonetheless, hashing the logs the moment you collect them and setting a copy of the logs and hashes aside, maybe even in something like an encrypted rar container that you leave in the custody of a trusted third party, will at least enable you to later document that the logs haven't been changed since you collected them.
As for documenting where they came from in the first place, record the process with video. Hash the video recording and store it with the copies of the logs and their hashes.
There will always be an opening for someone to cry foul, but my experience is that the onus of proving that foul is likely to fall on them, and the more steps you've taken to carefully document your process, the better off you'll be.
And since logs like you describe are indeed ever-changing, a hash-based proof scheme becomes tougher. Nonetheless, hashing the logs the moment you collect them and setting a copy of the logs and hashes aside, maybe even in something like an encrypted rar container that you leave in the custody of a trusted third party, will at least enable you to later document that the logs haven't been changed since you collected them.
As for documenting where they came from in the first place, record the process with video. Hash the video recording and store it with the copies of the logs and their hashes.
There will always be an opening for someone to cry foul, but my experience is that the onus of proving that foul is likely to fall on them, and the more steps you've taken to carefully document your process, the better off you'll be.
tracking event changes on the target live system under analysis is always be ongoing. I have since there is deployment where all tool used for analysis goes through a proxy type which creates logs not on target but on the jump host so that actions taken are tracked and checked back if there is abuse or anomalous activities. Kind of privileged identity mgmt. type. But this is provided if this already available in the target owner site. It is not for a mobile adhoc implementation per se. There are manual watch over while analyst do the onsite but that itself is no assurance on the changes
ASKER