Log-based evidence

In the previous chapter, we looked at various network protocol captures that define evidence in motion or data captured while in action. However, it is crucial for a network forensic investigator to have a brief knowledge of the various types of logs generated at the endpoints while traveling. These logs prove to be extremely handy when the scenario doesn't contain network captures, and it is up to the investigator to deduce and conclude the forensic investigation and reach a definitive result. Consider a situation where a company named Acme Inc. has faced a massive breach of customer data through its website, and the company hasn't kept any packet-capture files for the incoming data. In such cases, the forensic investigation solely relies on the logs generated at various endpoints, such as application servers, databases, and firewalls, as shown in the following diagram:

In the preceding scenario, we can see that the attacker has attacked an externally-hosted application server, which makes a connection to an internal network for database access that has limited connectivity to the external world, except for the application server.

In such scenarios, the following set of questions needs an answer:

• How was the attacker able to penetrate the application server?
• Why did the firewall allow access to the external attacker?
• What set of queries did the attacker execute on the database?
• Did the attacker alter the database?
• Can we identify the origin of the attack?

To answer the preceding questions, we will require access to the logs of the external application server, and since the firewall permitted access to the attacker, we will need access to the firewall logs. The attacker executed queries on the database. Therefore, we will expect access to the database logs as well.