Using computer log data to support a forensic investigation

* Best practices to help ensure log data and log management practices properly support forensic investigations

The log data you collect from your systems and devices may seem pretty mundane. However, it could contain the precise evidence needed to investigate and successfully prosecute a crime. In order for log data to stand up in court as admissible evidence, you must take care in how you collect, handle and store the data. Read on for experts' best practices for using log data to support a forensic investigation.

When you think of forensic investigations, you probably think of TV shows like CSI and NCIS which glamorize the scientific analysis of crime scene evidence. Such shows lead us to believe that sophisticated crimes can be solved through the forensic analysis of a single fingerprint, hair or fiber. Using exaggerated props and intimate camera angles, the on-screen “investigators” make it look exciting. In reality, forensic investigations involve time-consuming and tedious tasks that require know-how and equipment to perform properly.

What if the crime in question isn’t a made-for-TV drama? What if it’s a real world case of computer hacking, data theft or business fraud? Forensics, which is the application of scientific methods to problems or questions raised by the legal process, still can be used to find the “digital fingerprint” that provides evidence in the case. When properly collected and handled, this evidence can stand up in court.

Today, all forms of electronic documents and data are sought-after evidence in civil and criminal litigation. “Electronic data,” wrote Judge Elizabeth T. Maass in the case of Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., “are the modern-day equivalent of the paper trail.”

Your organization already has this paper trail in place. You just might not realize how valuable it is.

According to Dominique Levin, Vice President of Marketing and Strategy for LogLogic, logs are an independent, machine-generated record of what happened within a network for both system and user activity. When set up properly, and with the appropriate due care, logs can provide an immutable fingerprint of system and user activity. In many cases, the logs tell a story as to what really happened in an incident. They can tell you what systems were involved; how the systems and people behaved; what information was accessed; who accessed it; and precisely when these activities took place.

Given the insight that logs can provide, it’s no surprise that regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Federal Rules of Civil Procedure (FRCP), the Sarbanes-Oxley Act (SOX), and the Health Insurance Portability and Accountability Act (HIPAA) all mandate the requirement for logs and log management. The information captured by logs can be used to help protect sensitive data and to support incident response and forensic analysis in the event of a suspected data breach or other forms of electronic crime, such as fraud.

Often it’s these regulations that are driving organizations to become better at log management and event correlation. However, in Chris Novak’s experience as Managing Principal of the Verizon Investigative Response Unit, many organizations do need to improve in their log monitoring and management practices.

Novak says it’s not uncommon to find that companies collect the logs but don’t review them as closely as they should. The monitoring of logs in many instances is hampered due to the extensive amounts of good data being captured and the lack of means to properly manage, correlate and analyze that data. As a result, if there is a breach or questionable activity, it may take weeks or months to actually detect it – if it’s detected at all. Novak says the lack of logs or log management can increase the cost and length of an investigation substantially.

In order to have logs admissible in court as evidence of a crime, an organization must prepare and execute due care with the log data. According to both Levin and Novak, log data must be viewed and treated like a primary evidence source. Here are some best practices that can help ensure log data and log management practices properly support forensic investigations.

• Have a clear corporate policy for managing logs across the entire organization.

• Document what is being logged and why, as well as how the log data is captured, stored and analyzed.

• Ensure that 100% of log-able devices and applications are captured and the data is unfiltered.

• Have centralized storage and retention of all logs, with everything in one place and in one format.

• Ensure the time synchronization of logs to facilitate correlating the data and retrieving data over specific timeframes.

• Ensure the separation of duties over logs and log management systems to protect from potential internal threats such as a superuser or administrator turning off or modifying logs to conceal illicit activity.

• Always maintain backup copies of logs.

• Have a defined retention policy that specifies the retention period across the organization for all log data. Organizations should work with legal counsel to determine the best time frames and have log data incorporated into an overall data retention policy.

• Have a defined procedure to follow after an incident.

• Test the incident response plan, including the retrieval of backup log data from offsite storage.

If an incident or data breach is suspected, there are several steps to take right away:

• Increase the logging capability to the maximum and consider adding a network sniffer to capture additional detail from network traffic. In an incident, it’s better to have more data rather than less.

• Freeze the rotation or destruction of existing logs to prevent the loss of potential evidence.

• Get backup copies of the logs and make sure they are secure.

• Deploy a qualified investigations team to determine the situation.

With the appropriate care, logs can provide solid forensic evidence when and if it is needed. “If your home had been robbed, you would have to tell the police officer what was stolen and how the burglar got in,” says Shelagh Sayers, a special agent with the Federal Bureau of Investigation. “The same is also true for the network. If you simply tell us you have been broken into, and have no evidence to support it, we may be empathetic, but we can’t open a case.” Though analyzing log data may not make for an exciting TV drama, it is a necessary step for investigating and successfully prosecuting a crime.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.