If you’ve ever watched the TV show CSI, or just about any other police or legal TV show, you know that even with the slimmest shred of forensic evidence the investigators can identify, track and catch the perpetrator of a crime.
But, wouldn’t it be nice if they didn’t have to sift through fibers to find the one hair that actually belongs to the perpetrator and do DNA testing to identify its owner? What if there was a record kept on each person of who they came into contact with and when? What if there was a record kept of what was done to that person?
If that were the case, investigators like those in CSI might be out of business. The police would find the body, check the record to see who last came into contact with the deceased and what was done and they would already have the identity without having to dig. This is what logging provides in terms of supplying forensic evidence when there is malicious activity on your computer or network.
If a network administrator does not turn on logging or does not log the correct events, digging up forensic evidence to identify the time and date or method of an unauthorized access or other malicious activity can be just as difficult as looking for the proverbial needle in a haystack. Often the root cause of an attack is never discovered. Hacked or infected machines are cleaned and everyone returns to business as usual without truly knowing if the systems are protected any better than they were when they got hit in the first place.
Some applications log things by default. Web servers like IIS and Apache generally log all incoming traffic. This is mainly used to see how many people visited the web site, what IP address they used and other metrics-type information regarding the web site. But, in the case of worms like CodeRed or Nimda, the web logs can also show you when infected systems are trying to access your system because they have certain commands they attempt that will show up in the logs whether they are successful or not.
Some systems have various auditing and logging functions built in. You can also install additional software to monitor and log various actions on the computer (see Tools in the linkbox to the right of this article). On a Windows XP Professional machine there are options to audit account logon events, account management, directory service access, logon events, object access, policy change, privilege use, process tracking and system events.
For each of these you can choose to log success, failure or nothing. Using Windows XP Pro as the example, if you did not enable any logging for object access you would have no record of when a file or folder was last accessed. If you enabled only failure logging you would have a record of when someone tried to access the file or folder but failed due to not having the proper permissions or authorization, but you would not have a record of when an authorized user accessed the file or folder.