Sometimes the best evidence of a network intrusion resides in network or traffic logs. Snort is a well known open-source traffic analysis and network intrusion detection tool. However, using the logs from Snort we can also see how the intrusion happened, rather than just that an intrusion happened.
We’ll use Snort to show how we can piece together what happened and when it happened without depending on traditional hard drive forensics. Computer forensics investigations are often described as trying to find a needle in a haystack. Doing traffic analysis is one way to make that stack of hay much smaller and make that needle much bigger.
In this video, one of the bonus labs from the InfoSec Institute Computer Forensic Online Training, we will examine the output of a Snort Log to:
- Investigate a suspicious program and user account.
- Monitor the command line traffic on the suspicious machine.
- Review the commands used to install an unauthorized program.
We will also cover the process of locating and researching an unidentified program in a system.
Hope this video helps,