Log Forensics: The Basics of Finding Intel in Your Logs

Today’s post covers yet another log-related concept: log forensics. What’s this, and why should your organization care about it?

Well, this is a topic related to logs, which are ubiquitous in the technology field. An IT organization that doesn’t generate many MBs worth of logs each day would be a rare occurrence nowadays.

Get log data insights in just a few clicks – Try XpoLog out-of-the-box log analysis platform.

Even though logs are omnipresent, specific terms might not be so well-known. Not long ago, we covered log analytics, and today it’s log forensics time.

This post starts similarly to the log analytics one, by providing a brief overview of logging and its value to an organization. If you have experience with logging, you can skip this section without missing anything.

Then we get to the meat of the post, where we define log forensics, explain what it’s used for, and how it differs from other approaches, such as log analytics. Let’s get started.

The Value of Logging

As promised, before we start covering log forensics itself, we’ll do a quick overview of logging. What is logging all about?

In a nutshell, logging consists of recording information about what a system—for instance, an application—does when executing. We write these recordings to some persistent medium, such as a database table or a file in the disk. That way, we can access such information afterward and review it, but why would that be a desirable thing?

The primary use for logging of any kind is troubleshooting. Reading through log entries gives you this sort of time-travel power. By reading application logs, for instance, you can retrace the actions a user performed in an application, so you can understand and fix a problem.

Using logs only that way, though, really amounts to a reactive use. Don’t get me wrong: using logging to understand and fix problems is an amazingly useful approach. But at the end of the day, you’re leaving money on the table if you can’t put your logs to work for you in a more proactive manner.

That’s where approaches like log analytics come in handy since they allow you to use your logs in a more proactive manner, by extracting insights for them and potentially preventing problems before they happen.

How exactly does log forensics fit into this picture? How does it differ from log analytics? That’s what we’re going to see next.

Enter Log Forensics

We’ve just given you a quick overview of logging. Now you understand what logging is and why it matters if you didn’t know that already.

With that out of the way, we’re ready to get to the topic that gives the post its name: log forensics.

Log Forensics: How to Define It?

Log forensics, in a nutshell, consists of logging analytics applied to computer forensics. Let’s break that down by first explaining what we mean by computer forensics.

Defining Computer Forensics

SearchSecurity defines the term as follows:

Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Another interesting and shorter definition is this one by Anton Chuvakin:

Computer forensics is (the) application of the scientific method to digital media in order to establish factual information for judicial review.

So, we could think of computer forensics as an interesting intersection between technology and the law. In other words, computer forensics consists of putting technical knowledge in service of the law.

Defining Log Analytics

Now we’ll offer a brief definition of a term we’ve mentioned a few times throughout this post: log analytics.

We actually have a whole post on the topic, and we recommend you read it. But in any case, here you have the definition we gave to log analytics there:

Log analytics means taking an active approaching to logging, instead of a passive/reactive one. It means analyzing log entries to better understand our applications, to be one step ahead and solve problems as quickly as possible—or prevent them before they happen.

Since log forensics involves log analytics, the definition above makes it obvious that log forensics is much more involved than just looking at log entries.

Since we’ve already defined both computer forensics and log analytics, we’re ready to put the two together to come up with a proper definition of log forensics.

Putting the Two Together

Log forensics is, in short, the fusion between computer forensics and log analytics. Putting the two concepts together, we can come up with a definition like this:

Log forensics means using log analytics in forensics. In other words, it means to perform analysis on log entries, in order to extract knowledge and insights from them, but with a very specific goal in mind: to establish factual information for judicial review.

I’ve seen log forensics be described as an intersection between law, science, and technology, and that’s not a bad way to put it. We could think of log forensics as a specialization of log analytics geared toward judicial investigations.

So, what is log forensics useful for? Does your organization need to care about it? That’s what the next section will cover.

Log Forensics: What Is It For?

We’ve just defined log forensics, but you might still be wondering what its applications are. It all boils down to security.

In short, log forensics is part of a response to incidents strategy. “Incident” here refers to security incidents. Those might be harmless, routine events, but might also be more severe occurrences, such as hacks or crimes.

What follows is a non-exhaustive list of scenarios in which computer forensics—and log forensics more specifically—might be essential:

• Finding the vulnerability which was exploited to allow an invasion
• Finding proof of a crime or hack
• Enabling data recovery from disasters
• Tracking the activities of a malicious actor

Log Forensics vs. Log Analytics

Finally, as mentioned before, we’ll understand how log forensics differs from log analytics.  The two approaches are meant to extract useful insights from logs, so these can be used to solve or even prevent problems and help in decision making. So, what is the difference, if there is any?

Basically, the difference resides in the overall goals of the two approaches. Log analytics means just analyzing the logs to learn something. Log forensics, on the other hand, has judicial purposes.

In other words, we can think of log forensics as a specialization of log analysis. And since log forensics is also a form of computer forensics, you can expect a greater degree of severity, norms, and regulations. And that’s because, as we’ve mentioned, computer forensic belongs to the realm of law. It’s become an area of scientific expertise, with accompanying coursework and certification.

Summary

In today’s post, we’ve defined yet another term related to logging: log forensics.

We’ve started by defining logging, explaining what it is and why it’s so valuable for organizations. Then we’ve proceeded to define log forensics as a sort of fusion between computer forensics and log analysis. Then, we’ve defined both computer forensics and log analysis and ended by putting the two together to come up with the final definition for log forensics.

After that, you’ve seen what are the uses for log forensics, learning that it amounts to log analysis applied to computer forensics. In other words, technology serving the law. We’ve wrapped up by explaining how log forensics differs from log analytics.

That’s it for today. Stay tuned to this blog to learn more about logging-related concepts, since that’s a common topic around here. Also, don’t forget to take a look at XpoLog’s product, which is a complete tool that automates the entire log management lifecycle: from log collection to problem discovery, passing through parsing, analysis, and monitoring.