Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

server logs for forensics and maintaining integrity

If you use logs from a windows server (i.e. windows logs, IIS logs) for an investigation as evidence, and you image the drive on the server where the logs are located using something like FTP Imager - how can you prove that image and those logs were as they were at the time of your acquisition, assuming in most cases you don't intend to take your server offline until your investigation is complete and image that way

I get the logic behind imaging and taking hash values for an offline PC where you image the HDD, as someone could re-image the drive and see the same hash value to prove its integrity - but for a live server how do you demonstrate the logs in your image were those on the server at the time you took an image of the drive? I dont understand how you can prove that as if the server stays online the logs are constantly being updated/overwrittedt?
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

Thanks both. Say for example though you had a situation whereby you needed to demonstrate domain login times for an internal disciplinary investigation, so log files on domain controllers would be where you;d look - would you just pull copies of the log files themselves, or would you image the drive on which the logs are located using a forensics tool like FTK? Just don't see how you can demonstrate a log file in which we claim has been copied off a server iscredible evidence - and would be easily challenged (i.e. 'prove that log file came from that server at that time, and hasn't been edited since'..
I'd do whatever the process requires. So if I was to prepare against abuse of some kind and had to develop a system, I'd ask a lawyer that is a specialist in the respective field what is considered "evidence" and then look for technical measures.
I don't think it is of any use to ask for best practices here. Ask a lawyer.
Even if the investigation was internal - the person that you accuse will be able to go to court.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
pma, absent some compelling need for other evidence from the server, in the exact scenario you described my first thought would be to simply gather the logs from their source, as opposed to imaging a server to get them.

And since logs like you describe are indeed ever-changing, a hash-based proof scheme becomes tougher. Nonetheless, hashing the logs the moment you collect them and setting a copy of the logs and hashes aside, maybe even in something like an encrypted rar container that you leave in the custody of a trusted third party, will at least enable you to later document that the logs haven't been changed since you collected them.

As for documenting where they came from in the first place, record the process with video. Hash the video recording and store it with the copies of the logs and their hashes.

There will always be an opening for someone to cry foul, but my experience is that the onus of proving that foul is likely to fall on them, and the more steps you've taken to carefully document your process, the better off you'll be.
tracking event changes on the target live system under analysis is always be ongoing. I have since there is deployment where all tool used for analysis goes through a proxy type which creates logs not on target but on the jump host so that actions taken are tracked and checked back if there is abuse or anomalous activities. Kind of privileged identity mgmt. type. But this is provided if this already available in the target owner site. It is not for a mobile adhoc implementation per se. There are manual watch over while analyst do the onsite but that itself is no assurance on the changes