CompTIA Security+ SY0-601 – 4.3 support an investigation

1. Log Files

In this video, I’m going to be talking about basically log files and we’ll take a quick look at theme systems also. Now in the world of security incidents, after an incident or June of incidents, administrators need to examine evidence, things that they can look at that says, okay, this is what caused the incident, this is what was affected, this is who was affected. Now the way to do this would be to look at log files. In the digital world, evidence is left mostly in the log files. The log files are going to say what was accessed, when they came in, when they left, and this can be on firewall logs, what file was access, can be on the server logs and so on. So there’s a couple of things here we want to take a look at. So the first thing up is if you, if there is an incident, you may want to look at a vulnerability scan output. Now a vulnerability scan output is what I have here.

Now this is the Nexus vulnerability scanner. It’s something I covered earlier in the class. So this is the Nexus vulnerability scanner. I told you guys, you can download this for free. And in this vulnerability scanner here, we can go in and I did a vulnerability scan on my Windows seven box. If I click on it, this would be what the vulnerability scan would be. So basically, if you’re doing investigations for incidents and you’re looking for what caused it, you should take a look at these things. This vulnerability scanner will say, well, these were the vulnerabilities on the machines. And then you could make a theory that maybe one of these vulnerabilities was exploited. The other thing that’s mentioned here is going to be theme or SIM systems, dashboard, security information, event and management.

These are going to be like, splunk is a very famous software and this is also something we had looked at earlier in the class. Now the dashboard of itself is what’s going to pop up and show you as it’s gathering information. So the theme goes out and it gathers log information from all your systems on the network. There are sensors that are installed, you can set the sensitivity. So we’re going to install sensors in all of our computers and our devices or routers or switches, and then there’s sensitivity of how sensitive, what’s the threshold that you’re going to have before it gives out alerts? So there may be a threshold of certain times invalid logins or certain times a file is access and access is denied. Then you’re going to start to see this trend in coalition within it.

Now the dashboards themselves are basically the interfaces. So here I have splunk. Here is a dashboard of it. Now Splunk is something I review with you guys earlier in the class also when we talked about these types of systems. And this here can go in and tell you, okay, these are what’s going on at this particular time in the server and I haven’t had it on all the time. It’s telling you what type of CPU usage we’ve been having. Now what I don’t have is I don’t have any sensors installed on any devices, but then the dashboard can really give you more information and you can customize it the way you like it to see it. So basically by having one interface you’ll be able to see all of it that’s happened on the network. You ever seen in a movie. You see these network guys are watching a whole bunch of bars go up and down.

Basically that’s what this is. Now the big thing here is log files. So let’s take a look at log files in my Windows box here. So I’m going to right click on the start button. I’m going to go here to Computer Management and we’re going to go to Event Viewer. Now the event viewer in Windows has the Windows log files. So for your exam you don’t need to go and read log files that I promise you. You just need to know that log files contain specific data that can help you an incident. So the application log here will tell you specific things about specific application. When an application opened, when it crashed, any type of issues. So information on events are just telling you information about a particular application and if it’s running. And then you have warning is if there’s an issue with that application that may present an error and then sometimes you have errors in the application.

So you may want to take a look at that. Security logs are basically going to tell you when people logged in, when they logged off, what file was accessed during that time, startup and system. So this is any type of information dealing with startup and the system log is going to take us any issues with the operating system per se. So here you have an error in my scheduling of the system s channel on the system. Here something with a TLS credential. So this is something we may want to look into. Now there are different types of log files. We just talked about system application security logs. There’s network logs that are coming out of networking devices that can show switching information, routing information. There’s logs on web servers that say who access what web server. If there was ever a hack against a web server, you may want to take a look at your web server logs.

Also the other thing you can look at that may be related to this is web access. Web access comes from proxy servers. So proxy servers tracks what websites you’ve been to. So that would be a type of a web access. DNS servers can tell you who access a DNS server at what point authentication. You can look back at the security logs to see who authenticated to the network. Now dump files. This dump files. And there’s two things you can dump. You can dump the Ram of a computer. We talked about that in forensics. Or you could dump, like TCP dump, in which case you were dumping network traffic and analyzing traffic files. Remember something, log files are great, but they generally come after the fact. TCP dump things like why a shark could actually dump the files as they’re happening, and you can view the traffic as it’s happening.

Other log files that you may want to look at are things on your VoIP, on your call managers, your call manager systems, your VoIP systems, those PBXes that you have, and then, of course, analyzing your VoIP traffic of itself. It’s going to be session initiation protocol is basically the VoIP protocol. So these are a variety of different log files. Now, your exam is not going to go in there and tell you these are log files, but what they may do is they may give you outputs of it. And they’re famous for giving you an output of a log file, and you have to identify what type of attack it is. That’s mostly what they do on this exam. And if you remember the attacks as I went through them in the beginning of this class, you should be fine. Just remember, log files will keep track of these different types of attacks that are out there.

2. Capture log files

In this video. I’m going to be going over some places of where we can get log information. Now log files are a real pain to manage. Why? Because there are so many log files, so many devices have them. The best thing to do is to use some kind of SIM system or SIM system to manage this. Like Splunk is the best way to go about doing this. But you do have some other utility that I quickly want to mention just in case you see them on your exam, you’ll know what they are. So the first one up and has what they call it Syslog RSS log or Syslog Ng. These are basically login servers that could capture log files across the network for you. Then you have journal CTL. This is basically a command for viewing log files gotten by the system D file. And then the other one is NX log. And this is log collection and centralization solutions.

NX log is actually a software that you can get here’s a software that you can get and you can actually purchase this and it basically goes on and collects log files for you. Commercial product, very good, easy to use product. Now the other thing we want to mention is how long are you going to retain these log files for? Now this is something that I had spoke about in another video. Retention of log files may be dictated by regulations or it may be just dictated by company policy. Most companies may retain them for five years, some of them for seven years, some of them for just a few weeks. Again, it really goes back to regulations and that company’s overall policy.

The other thing to do is bandwidth monitors because if there is an incident within your organization, you’re going to want to if there’s an incident within your organization, you’re going to want to be able to detect if the bandwidth being used up. It’s one of the first signs that there may be an intrusion in your network if there’s low bandwidth within the systems themselves. Now metadata, metadata is data, additional data that may be attached to emails. It may be attached to mobile devices, web information, and even files that are out there. So metadata is just more information about what’s coming in there. And I’ll show you guys a metadata on an email. So here is my outlook. And I installed this account because I found here’s something back in January from a hacker.

This is basically a phishing email and the email is from now this is of course some kind of hackers. I don’t mind showing you guys all this data. It’s from the email of SIV at S one V ru. And that is the actual email there. And she’s telling me I’m a hacker who has access to my operating system. They have full access to my information and supposedly they see everything I was doing or I was watching or something like that. And they want me to deposit $500 to this bitcoin address. Now I was going to delete this, but I kept it for the video because there may be a question on the exam where you have to know what a public ledger is. Now this is something I’d mentioned in another video, but this is a real example that I found. I’ll just put it in the video.

So if you ever get an email, you ever wanted to know how much money was stolen, actually how much people was caught with this gap. So people may be thinking, who’s going to pay those people? I was surprised to find out and I just looked at it.Now today is the end of November coming up here, and this email went out in January. So here is the bitcoin address so you can take this and give it to a public ledger. Remember, bitcoins are based on everything for the bitcoin is stored. It’s a blockchain, it’s all stored in a public ledger. So I’m going to copy that. And here we have a site called BTC, which is a site that keeps track of all the bitcoins. I’m going to go in there and I’m going to search that bitcoin. And there has been seven transactions with this particular bitcoin.

Now how much is this seven transaction worth? Well, it’s basically 00:24 six of a bitcoin. So if you’re wondering how much money that is, you’re about to find out because I actually looked this up, convert bitcoin to USDA, it’s $4,698 as of today, November 25. So this was, this is, this is so unbelievable how they got people. So people actually received this email and they probably sent it to a whole lot of people. And this guy got five $4,600 worth of bitcoin to the money for sending out that website. Okay, so that is efficient email. Okay, got caught off track there. Something like that may appear on your exam. All right, we did review that, but something like that just may appear on your exam.

Let’s continue going. We’re talking about metadata in an email. So I’m going to double click on this email here and we can actually view the metadata by going to file and properties. And here you can see the metadata is at the bottom of the email here. Now this here is going to tell you like what server it comes from. So this is coming from the server journeymania. com. It’s an email server and it’s hidden our email server. It can go in and tell you what type of email server it used, who it came from, basically when they send it, what type of encoding they use and so on. It’s going to be in the email. So this is basically the metadata. Now different types of software will read this metadata and give you more information about what is there.

Okay, so the other thing that we have is something called NetFlow now, NetFlow is just a piece of software that can analyze NetFlow basically can analyze network traffic as it’s happening. So Cisco created NetFlow. It’s basically on the Cisco’s protocol for basically analyzing and capturing IP traffic. It’s leads in the interfaces. There’s software that now connects to this and can capture this traffic. Just remember for your exam that just remember for your exam that Netflix or ESFLOW can capture IP traffic, whether it’s ICMP traffic or even IP fix. Now, the other one is protocol analyzer output. So this year, we had looked at already, this is wireshark.

If you remember going back to the wireshark video where we had done the FTP traffic, when I analyzed the FTP traffic, you can see passwords in there. Also, if there’s any type of errors or problems, you can also see in those wireshark outputs. All right, hopefully we have some fun looking at some of the metadata of that email and that bitcoin. And I thought that was pretty funny, but it wasn’t funny. Think about it. Some people $4,500 was lost due to a scam. All right, but just review this section. Make sure you know some of these commands. Basically, these are log commands for grabbing login to grab log files on a network.

• Category: Uncategorized