4.7 Data sources for investigation
📘CompTIA Security+ (SY0-701)
When a security incident happens (like malware infection, unauthorized access, or data leak), investigators need evidence to understand what happened, when, and how. Logs are one of the most important sources of that evidence. Logs are basically digital records that show activity in systems, networks, and applications.
Think of logs as a “diary” that IT systems keep—they record everything, and investigators read them to find clues about incidents.
Types of Logs
There are several types of logs, each providing different information:
1. Firewall Logs
- What they are: Firewalls control traffic coming in and going out of a network. Their logs record allowed and blocked traffic.
- What they show:
- IP addresses connecting to your network
- Ports being accessed
- Rules triggered (allowed or denied)
- Why they’re useful:
- Detect unauthorized access attempts
- Identify patterns of attacks (like repeated login attempts)
- IT example: A firewall log shows that an unknown IP tried to connect to a blocked port multiple times, indicating a potential attack attempt.
2. Application Logs
- What they are: Applications (software programs) generate logs for events such as user activity, errors, or transactions.
- What they show:
- User logins and logouts
- Errors or crashes
- Configuration changes
- Why they’re useful:
- Detect suspicious activity within apps
- Troubleshoot issues
- IT example: An application log shows repeated failed login attempts to an internal database, hinting at a possible brute-force attack.
3. Endpoint Logs
- What they are: Endpoints are devices like laptops, desktops, and servers. Endpoint logs track activities on those devices.
- What they show:
- File access and changes
- Program installations
- USB device connections
- Why they’re useful:
- Identify malware infections
- Detect unauthorized data copying
- IT example: Endpoint logs show a USB drive was connected and sensitive files were copied to it outside normal working hours.
4. Operating System (OS) Security Logs
- What they are: Every OS (Windows, Linux, macOS) logs security-related events.
- What they show:
- User authentication (logins/logouts)
- Privilege escalations (when a user gains admin rights)
- Failed login attempts
- Why they’re useful:
- Track insider threats
- Investigate unauthorized access
- IT example: Windows Security logs show a user tried to log in with an admin account 5 times and failed, indicating a potential attack.
5. Intrusion Detection/Prevention System (IDS/IPS) Logs
- What they are: IDS/IPS monitors network or host traffic for suspicious activity.
- IDS (Intrusion Detection System): Alerts only.
- IPS (Intrusion Prevention System): Alerts and can block threats.
- What they show:
- Detected attack patterns
- Malicious traffic sources
- Rule triggers
- Why they’re useful:
- Detect and prevent attacks
- Investigate attack methods
- IT example: An IPS log shows multiple SQL injection attempts coming from the same IP, which were blocked before affecting the database.
6. Network Logs
- What they are: These logs capture traffic between devices in a network.
- What they show:
- Packet flow
- Source and destination IPs
- Protocols and ports
- Why they’re useful:
- Trace network-based attacks
- Identify compromised devices
- IT example: Network logs show a device sending unusually large amounts of data to an unknown external IP, which could indicate data exfiltration.
7. Metadata
- What it is: Metadata is “data about data.” It provides context for files, communications, or events.
- What it shows:
- File creation and modification times
- Author or owner of files
- Email sender/receiver info
- Why it’s useful:
- Trace actions back to a specific user or time
- Establish timelines during investigations
- IT example: Metadata shows that a critical file was modified at 3:15 AM by a user account that normally doesn’t work at that time, raising suspicion.
Summary Table: Logs for Investigation
| Log Type | Key Information | Use in Investigation |
|---|---|---|
| Firewall | Allowed/blocked traffic, IPs, ports | Detect unauthorized access attempts |
| Application | User activity, errors, config changes | Find suspicious app activity or errors |
| Endpoint | File access, program installs, USB activity | Track malware or data theft |
| OS Security | Logins, privilege changes, failures | Detect unauthorized access |
| IDS/IPS | Attack patterns, alerts, blocks | Identify and stop attacks |
| Network | Traffic flows, IPs, ports, protocols | Trace attacks, spot anomalies |
| Metadata | File info, timestamps, authors | Build timelines, identify responsible users |
Key Points for the Exam
- Logs are primary evidence during an investigation.
- Different logs come from different sources (firewalls, apps, endpoints, OS, IDS/IPS, networks).
- Logs help detect, analyze, and respond to incidents.
- Metadata is critical for context and timelines.
- Knowing which log to check is crucial: e.g., failed login? Check OS security logs; suspicious network traffic? Check firewall or network logs.
