Hey all
Looking for some opinions and experiences with log file analyzers that can run graphical reports on a standalone Windows system. Trying to correlate multiple events to a narrow time frame and date.
The scenario I am using this in is a 32bit Win 7 Ult image that has had a migration upgrade from Vista. We are trying to time line two dates in question prior to the migration. I have it loaded in VM VFC with Mount Image Pro.
The original system was a standalone laptop not on a domain connecting to a hosted Exchange server through Outlook and OWA. Wifi and/or physical NIC connections with Intel Pro Set (this would be a critical piece of the puzzle as we need to see SSID's for particular days through Intel Pro Set Wireless). Need faster visual reports from multiple (all and any on a system OS, network, 3-party apps, etc.) so I can advise clients if we need to do a deeper investigation for the direction of the case.
Also need a program that will not just auto scan the local host for log files but can intake files I recover from deleted.
Because of the time sensitivity I just need fast reporting and an overview and do not want to take a lot of time on the front end of the investigation to really index and process and image in EnCase (that is subsequently running on another system.)
I like and am using Splunk but I am looking for other suggestions as well.
Thanks to Harlan's Where Was Waldo post - got me thinking down this path because essentially we will have to localize the MAC and IP addresses to a geographical region.
Greetings,
I'd say "splunk" and, if not that, "sawmill". I've had issues with sawmill, but mostly on very large datasets. Splunk is more expensive, but probably more flexible. Sawmill may have a better (ie, faster) database and the reporting may be a bit prettier. I've not compared them side by side on all features as I've just been doing SMTP log analysis.
-David
Thanks David. Splunk is doing it the easiest so far next to the Windows event view (which is not bad by itself since Vista). Just looking for others as well.
Doug,
I'm having a little bit of trouble understanding what you're trying to do here. It sounds like you're trying to correlate multiple events from a laptop that was upgraded from Vista to Win7…is that the case?
Harlan,
Yes. Trying to find a program that can aggregate multiple types of log files on this system in a easier to display manner. Kind of got the idea from LogRythm but was wondering if there are standalone apps that can run on a client to do this type of work in addition to the built in event viewer.
BTW - is skyhook.pl available? Is there much difference from bssid-location.pl?
Doug,
Yes. Trying to find a program that can aggregate multiple types of log files on this system in a easier to display manner. Kind of got the idea from LogRythm but was wondering if there are standalone apps that can run on a client to do this type of work in addition to the built in event viewer.
I guess it depends on what you want to add to the list of events. I've written my own stuff, simply because there was nothing commercially available that would incorporate what I wanted, which was everything.
If you're only looking at log files, there might be something out there…don't know for sure. I need to include things like Event Logs, relevant Registry data, file metadata, etc…and I didn't find anything like that. To be honest, I think I was expecting too much in looking.
BTW - is skyhook.pl available?
No, sorry. No one was interested, so I stopped doing anything with it, and got rid of it. I did, however, keep the updated version of the script called maclookup.pl.
Is there much difference from bssid-location.pl?
I don't know…what is "bssid-location.pl"?
Did a search on the Perl script you mentioned…is this what you were referring to
http//
bssid-location.pl
# Find the Longitude and Latitude of a BSSID
Check it
Doug,
Yes. Trying to find a program that can aggregate multiple types of log files on this system in a easier to display manner.
One of the things I've found in developing timelines is that as you start to add more sources, it becomes more and more difficult to find an effective means of graphical representation.
Consider EnCase's timeline display. I'm not picking on EnCase, I'm only mentioning it because I know it has a timeline display. What does it show? Is it easy to understand and mine for information? What if you were to add other events, such as from the Event Log, Registry, AV logs, etc?
I think that Pete Silberman was right when he said that "malware is the least frequency of occurrence" on a system…and from what I've seen, the same is true for intrusions. So you're not looking for spikes in activity…on many of the Windows systems for which I've created timelines, the spikes in activity are system or application updates. The intrusions are harder to find, b/c they're a login (if auditing is enabled for the events) and a couple of files added to the system. In everyone of the cases where I've used a timeline, it's been a matter of separating the wheat from the considerable chaff.
Just some thoughts…
Consider EnCase's timeline display. I'm not picking on EnCase, I'm only mentioning it because I know it has a timeline display. What does it show? Is it easy to understand and mine for information? What if you were to add other events, such as from the Event Log, Registry, AV logs, etc?
Funny you should say that. Was doing the time line analysis in EnCase and that is what got me thinking down this path because the display is not particularly revealing when you drill down. It is great to see a graphically representation of the file system and disk activity through a period and that's about it. Add in all the other screens open of various logs, events and application data - add handwritten notes on the time line and one's head start to spin. Trying to put that in a nice overview for the client to decide the investigation strategy when the client is calling every hour for updates would just allow the examiner to hand off something to ease the clients concerns while we also look at other avenues. Plus its nice to hand off a big picture because often the client them comes back with terms, keywords or areas to investigate that they might not have thought of in the early interviews.
Just trying to remove the bottle necks of communication between me, the client and the evidence.
The intrusions are harder to find, b/c they're a login (if auditing is enabled for the events) and a couple of files added to the system. In everyone of the cases where I've used a timeline, it's been a matter of separating the wheat from the considerable chaff.
I do find as well that when the customer is emphatic about particular dates being important when it is rather the days and times leading up to the event in question.
Ultimately we are trying to track a users behavior on a system so the meat manipulating the data has to be profiled through activity to find anomalies.