8.2 Network Log Architecture

The forensic quality of retained logs, and the strategies and methods for obtaining them, are strongly influenced by the environment’s network log architecture. Disparate logs accumulated on a fleet of systems don’t really help an enterprise security staff understand the “big picture” of what is happening on the network. Distributed logs also make it difficult for security staff to audit the past history of security-related events. Even worse for the investigator, it can become a nightmare to locate and obtain important evidence.

The answer to this problem is to centralize event logging in such a way that all events of interest are aggregated and can be correlated between multiple sources. It may not be the case that the target environment is instrumented in such a way, but we’ll discuss ways that this can be achieved, either by IT staff in advance or on-the-fly to facilitate an investigation.