Digital forensics

Computer Forensics: Snort Logs Analysis

April 8, 2011 by Keatron Evans

Sometimes the best evidence of a network intrusion resides in network or traffic logs. Snort is a well known open-source traffic analysis and network intrusion detection tool. However, using the logs from Snort we can also see how the intrusion happened, rather than just that an intrusion happened.

We’ll use Snort to show how we can piece together what happened and when it happened without depending on traditional hard drive forensics. Computer forensics investigations are often described as trying to find a needle in a haystack.  Doing traffic analysis is one way to make that stack of hay much smaller and make that needle much bigger.

In this video, one of the bonus labs from the InfoSec Institute Computer Forensic Online Training, we will examine the output of a Snort Log to:

  • Investigate a suspicious program and user account.
  • Monitor the command line traffic on the suspicious machine.
  • Review the commands used to install an unauthorized program.

We will also cover the process of locating and researching an unidentified program in a system.

Hope this video helps,
Keatron

Posted: April 8, 2011
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.