Information Technology Reference
In-Depth Information
3.
Logs: Characteristics and Requirements
The issues highlighted above regarding UNIX are only one side of the coin. There
are also a number of very important problems regarding log file integrity and man-
agement.
Every IT and network object, if programmed and configured accordingly, is capa-
ble of producing logs. Logs have to have certain fundamental requisites for network
forensics purposes. They are:
Integrity
: The log must be unaltered and not admit any tampering or modifica-
tion by unauthorized operators;
Time Stamping
: the log must guarantee reasonable certainty as to the date and
hour a certain event was registered. This is absolutely essential for making cor-
relations after an incident;
Normalization
and
Data Reduction
.By
normalization
we mean the ability of
the correlation tool to extract a datum from the source format of the log file
that can be correlated with others of a different type without having to violate
the integrity of the source datum.
Data Reduction
(a.k.a.
filtering
) is the data
extraction procedure for identifying a series of pertinent events and correlating
them according to selective criteria.
3 . 1
T h e N e e d f o r L o g I n t e g r i t y : N e e d s a n d P o s s i b l e S o l u t i o n s
A log must guarantee its integrity right from the moment of registration. Regard-
less of the point of acquisition (Sniffer, Agent, Daemon, etc.) a log usually flows like
this (
Fig. 2
).
F
IG
.2. Logflow.