9Using Firewall and Application Logs

Sitting at his computer, he realizes that everything he sends across the wire has the potential to be logged somewhere. This may be at the firewall that he may be passing through transparently or it may be a result of the program he is connecting to logging his actions. The best thing to do is to not leave any traces at all, but that's not a realistic expectation. As a result, when he gets into a system, one thing he makes sure to do is to track down the logs. He has tools that are capable of cleaning out log files. The question he ponders is whether it's worth it, based on whether logs are being pushed off to another system for storage and analysis. If logs are being sent somewhere else, discrepancies might raise more questions. This means doing a little digging.

He looks at the processes that are running to see whether there are agents set up for some of the popular log management systems. He also checks the network connections to see if there is something that has escaped him in the process tables. Finally, he goes looking at the logs themselves just to see what sort of trail there may be, based on how much is being logged. Some businesses barely bother logging at all. Those businesses are much easier to deal with. Once he is satisfied there is little being logged, he is free to move on. Depending ...

Get Network Forensics now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.