Now that we have the logs, it is high time we understood how to collect and analyze them from a network forensic's perspective.
The tool of choice is Splunk. This is a very versatile tool (it also has a free version) that offers users the ability to collect log files from multiple sources, index and normalize the data within, then carry out an in-depth analysis to look for anomalies, prepare reports, and visualize the results. Lets take a look at it:
Splunk offers the facility to import and index data in a multitude of formats. This includes structured data, web services, network devices, Microsoft servers, application services, the cloud, and a host of others. The following are the steps to download and start using Splunk:
The next stage is to add data to Splunk, as shown in the following screenshot:
To do this, complete the following steps:
The first is the upload option; this is to be selected when we want to analyze the log files that we have brought from the computer under investigation or have locally on our drive or removable media. In this case, the analysis is of the data of events that have occurred in the past and the log files are not changing dynamically. We can use this for the syslog files that are downloaded as a part of the tutorial on the Splunk site.
The second is the monitor option; in this case, we can monitor the ports as well as the files that are changing dynamically on the system. This is quite useful when we want to monitor the log activity in real time.
The third is the forwarding option. This allows multiple instances of Splunk to run on different machines. At one end, Splunk acts as a collector and at the other, it acts as a receiver. This helps in the collection and consolidation of logs over the network.
This is the stage where our long wait is over and we can indulge our 007 instinct. We can now begin to search for all sorts of suspicious activity. The Splunk Search page is shown in the following screenshot:
Just under it, Splunk lists the number of events indexed as well as the earlier and later event.
A quick click on Data Summary shows us the following result:
There are three tabs. The first Hosts tab shows that the data indexed by Splunk relates to a single host. The next two tabs show us that the data relates to four different sources and source types. Let's select the single host and see if there are any security events that merit our attention.
The good part about Splunk is that it has a Google-type search interface. We simply type in the text that we want it to look for and it shows us the results. In this case, let's look for the log entries that have the word logon
as well a word beginning with pass
. The wild card *
denotes that the output that should include everything that starts with pass including passes and password (which is what we are looking for). It is shown in the following screenshot:
A quick look at the interface shows us that there are 149 events that meet our criterion during the month of August, 2015. This is something we would definitely like to look at in more detail.
Let's expand these entries by clicking on the > sign on the left-hand side of the entry, as shown in the following:
Suddenly, things have become a lot clear. If we look closely, we see that on August 31, 2015, at about 22:14 hours, an attempt was made to log on to the FFT-05 host with a blank password. This is an example of the kind of interesting things that we are looking for.
While this reflects a single event, wouldn't it be great if we could see all the similar events visually. Luckily for us, this is what Splunk does really well. This aspect is called visualization and allows Splunk to aggregate the data and show it to us in an easy-to-understand graphical format. The following image illustrates this idea:
As we can see from the preceding image, our first attack began on August 11 and the latest was discovered on August 31.
This kind of information is quite valuable as it gives us an immediate insight into the kind of attack being directed at our information resources and gives us an excellent starting point to begin our investigation.
With a little bit of practice and the use of the excellent online tutorials available with Splunk, it is quite easy to gain the necessary expertise to begin your journey into log analysis and push your understanding of network forensics to another notch.
3.147.72.74