Thursday, September 6, 2007

The importance of logging for forensics investigations

ISSA has an interesting article (PDF, members only) in this month's issue. It is titled Computer Forensics Foils Financial Data Theft and it describes how the absence of a specific log file turned investigators onto the trail of a thief.

SIM products generally do a more-or-less acceptable job on collecting log data, extracting useful information from it, and doing some basic analysis. While it does not appear that a SIM was used in this particular example, the article shows how important it is to have a baseline of expected behaviour. The absence of logging that should be there is generally an indication that something is awry. I wonder how many of the commercial SIM's out there have provisions for this sort of detection.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.