Logs, Logs, Every Where / Nor Any Byte to Grok
- Phil Hagen, Instructor, SANS Institute
- Tuesday, June 3rd, 6:30pm - 7:30pm
In the practice of Network Forensics, we frequently lack the ultimate evidence - a full packet capture. Instead, we must seek other Artifacts of Communication, which provide insight to system communications that have long since concluded. These artifacts often come from log events created along the path of communication - switches, routers, firewalls, intrusion detection systems, proxy servers, and a myriad other devices.
The skilled network forensicator will aggregate these different sources, then apply sound analytic processes to the consolidated evidence. Only then can we build a comprehensive understanding of those network communication events and establish the best possible sequence of events around the incident in question.
We will discuss one tool that can be very effective in practice: Logstash. This is a free and open-source solution primarily intended for system and network administrators to observe live data. However, it can also provide great value to the forensicator, who must integrate disparate data sources and formats. New developments around Logstash also make it an ideal tool for the system-based forensicator as well, since supertimeline data can be integrated to the broader view of evidence.
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Vendor: Events hosted by external vendor exhibitors.
- Lunch & Learn: Short presentations given during the lunch break.