1 / 12

System Forensics Applied Computing Yr 3

Operating System Log Analysis. System Forensics Applied Computing Yr 3. Steven Davy. What is Log Analysis. Log Analysis is the investigation of system log files to determine the recent activity on the system Can be used to detect potential hack attempts

aaron
Download Presentation

System Forensics Applied Computing Yr 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Operating System Log Analysis System Forensics Applied Computing Yr 3 Steven Davy

  2. What is Log Analysis • Log Analysis is the investigation of system log files to determine the recent activity on the system • Can be used to detect potential hack attempts • To detect is any processes are misbehaving (i.e. viruses / trojans) • To make sure you system is behaving correctly (to eliminate causes of a problem) System Forensics : Applied Computing Year 3

  3. Outline • Using AWK to discover some basic system event logs, namely “syslog” • To detect failed login attempts • To detect suspicious user accounts • To investigate mail logs • To detect potential hacks System Forensics : Applied Computing Year 3

  4. Syslog • Syslog is actually a message passing protocol and is used predominately for logging • Messages can be logged different components of the computer system, and can be logged at different severity System Forensics : Applied Computing Year 3

  5. Syslog Message Types • 0 kernel messages • 1 user-level messages • 2 mail system • 3 system daemons • 4 security/authorization messages • 5 messages generated internally by syslogd • 6 line printer subsystem • 7 network news subsystem • 8 UUCP subsystem • 9 clock daemon • 10 security/authorization messages • 11 FTP daemon • 12 NTP subsystem • 13 log audit • 14 log alert • 15 clock daemon System Forensics : Applied Computing Year 3

  6. Syslog Message Severity levels • 0 Emergency: system is unusable • 1 Alert: action must be taken immediately • 2 Critical: critical conditions • 3 Error: error conditions • 4 Warning: warning conditions • 5 Notice: normal but significant condition • 6 Informational: informational messages • 7 Debug: debug-level messages • For more Information in Syslog look at RFC3164 System Forensics : Applied Computing Year 3

  7. Using AWK and Syslog • AWK or gawk is a line processing program with its own programming language • ‘Begin’ section runs at the start • Main loop is computed per line • ‘End’ section runs after each line is processed by the main loop • AWK have better pattern matching facilities as opposed to Grep, and is easier to learn for system administrators then Perl • Complicated scripts can be described in a simple manner System Forensics : Applied Computing Year 3

  8. What to Analyse ? Login Attempts • We can analyse syslog to determine if there are excessive login attempts • In the Main loop • if ($0 ~ /LOGIN.FAILURE/) { print "failed login: "$11"\tat "$1" "$2" "$3" from\t"$10 failed=failed+1 } Use other fields to print out a message Is the first entry of the line equal to “login failure” System Forensics : Applied Computing Year 3

  9. Other log files • Sendmail is an SMTP server that can be used to send email • logs entries to its own log • Can be hijacked to send spam • Sulog is a log of ‘su’ command calls. • Can give any user ‘super user’ access • Can be used to gain access to a system if compromised • Passwd file stores information about users passwords and accounts • If compromised a user can login remotely with possible root access System Forensics : Applied Computing Year 3

  10. Strange User Accounts • We can also analyse the passwd file to see if there are any suspicious user accounts? BEGIN { FS = ":" } { if ($2 == "") { print "------ empty password for account " $1} if (($3 ~/^00*/) && ($1 != "root")) { print "------ user has a uid of zero: " $1 } } Field separator in changed to “:” System Forensics : Applied Computing Year 3

  11. Windows Logs • IIS logs activity such as website accesses • May catch potentially compromising activities • However the logs may be large and difficult to sift through • Windows Log Parser 2.1 comes with IIS and can use SQL to query the log file System Forensics : Applied Computing Year 3

  12. Windows Logs • The Event Log Service records application, security, and system events in Event Viewer. • Three Log Types • Application log • The application log contains events logged by programs. • Security log • The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. • System log • The system log contains events logged by Windows XP system components. System Forensics : Applied Computing Year 3

More Related