Introduction
Network logs are vital evidence in cyber crime investigation. They record all network activities and help in reconstructing events, identifying attackers, and understanding the scope of an incident. This section will teach you how to analyze different types of network logs.
After this part, you will be able to analyze firewall logs, server logs, and router logs, and identify anomalies that indicate malicious activity.
Types of Network Logs
Various devices on a network generate logs that can be valuable for investigation.
Firewall Logs
Record allowed and blocked connections, source/destination IPs, ports, and protocols.
Server Logs
Web server access logs, authentication logs, application logs, and error logs.
Router Logs
Routing information, interface status, access control lists, and traffic flow data.
Switch Logs
Port status, MAC address tables, VLAN information, and spanning tree events.
Firewall Logs
Firewall logs are one of the most important sources of evidence in network investigations. They show all traffic that was allowed or blocked at the network perimeter.
Common Firewall Log Fields
| Field | Description |
|---|---|
| Timestamp | Date and time of the event |
| Source IP | IP address initiating the connection |
| Destination IP | IP address receiving the connection |
| Source Port | Port used by the source |
| Destination Port | Port being accessed |
| Protocol | TCP, UDP, ICMP, etc. |
| Action | Allow, Deny, Drop, Reject |
| Rule ID | Which firewall rule was triggered |
| Bytes | Amount of data transferred |
| Interface | Network interface involved |
Sample Firewall Log (iptables)
What to Look For in Firewall Logs
- Repeated blocked connections: May indicate scanning or brute force attempts
- Unusual ports: Connections to uncommon ports (e.g., 4444, 31337)
- High volume traffic: Possible data exfiltration or DDoS
- Internal to external on unusual ports: Possible C2 communication
- After-hours traffic: Activity during non-business hours
- Geo-location anomalies: Connections from unexpected countries
Key ports to watch:
- 22 (SSH), 23 (Telnet): Remote access attempts
- 445, 139 (SMB): Ransomware, lateral movement
- 3389 (RDP): Remote desktop attacks
- 4444: Common Metasploit default
- High ports (>49152): May be C2 channels
Server Logs
Server logs contain detailed information about all requests and activities on a server. Web server logs are particularly important for investigating website attacks.
Apache/Nginx Access Log Format
Understanding HTTP Status Codes
| Code Range | Meaning | Investigation Note |
|---|---|---|
| 200-299 | Success | Normal requests; check for unauthorized access |
| 301, 302 | Redirect | May indicate URL manipulation |
| 400 | Bad Request | Malformed requests, possible attack |
| 401, 403 | Unauthorized/Forbidden | Failed access attempts |
| 404 | Not Found | Directory scanning if many from same IP |
| 500-599 | Server Error | May indicate successful exploitation |
Windows Event Logs
Windows systems generate detailed event logs that are crucial for investigation:
Important Event IDs
| Event ID | Description | Log |
|---|---|---|
| 4624 | Successful logon | Security |
| 4625 | Failed logon | Security |
| 4648 | Explicit credential logon | Security |
| 4720 | User account created | Security |
| 4732 | User added to group | Security |
| 4688 | Process created | Security |
| 7045 | Service installed | System |
| 1102 | Audit log cleared | Security |
A brute force attack pattern in logs:
1. Multiple 4625 (failed logon) events from same IP
2. Eventually a 4624 (successful logon) if attack succeeded
3. Followed by 4720/4732 (account/privilege changes)
4. Then 4688 events showing malicious processes
Router Logs
Router logs provide visibility into network traffic flow and routing decisions. They are useful for understanding how traffic traversed the network.
Types of Router Logs
- Syslog Messages: General system events and errors
- ACL Logs: Access Control List matches (allowed/denied traffic)
- NetFlow/IPFIX: Detailed traffic flow information
- SNMP Traps: Alert messages for specific conditions
- Authentication Logs: Login attempts to the router
Sample Cisco Router Log
NetFlow Analysis
NetFlow provides detailed traffic statistics that are valuable for:
- Traffic Analysis: Understanding communication patterns
- Anomaly Detection: Identifying unusual traffic volumes
- Bandwidth Usage: Finding top talkers and listeners
- Security Monitoring: Detecting scanning and attacks
NetFlow Record Fields
Anomaly Detection
Anomaly detection is the process of identifying patterns in logs that deviate from normal behavior. This helps in detecting attacks and suspicious activities.
Common Anomaly Patterns
Traffic Spikes
Sudden increase in traffic volume may indicate DDoS attack or data exfiltration.
Failed Login Bursts
Multiple failed authentication attempts indicate brute force or credential stuffing.
Off-Hours Activity
System access during non-business hours may indicate compromise.
Geographic Anomalies
Access from unexpected locations or countries.
Indicators of Compromise (IoCs) in Logs
| IoC Type | What to Look For |
|---|---|
| Malware C2 | Periodic connections to same IP/domain, unusual DNS queries |
| Data Exfiltration | Large outbound transfers, especially to cloud storage |
| Lateral Movement | Internal scanning, SMB traffic between workstations |
| Privilege Escalation | New admin accounts, group membership changes |
| Persistence | New services, scheduled tasks, registry changes |
| Defense Evasion | Log clearing, disabled security tools |
1. Normalize timestamps to a single timezone
2. Correlate logs from multiple sources
3. Create baselines of normal activity
4. Use automated tools for large log volumes
5. Document all findings with evidence
Log Analysis Tools
SIEM Solutions
- Splunk: Industry-leading log management and analysis
- ELK Stack: Elasticsearch, Logstash, Kibana - Open source
- IBM QRadar: Enterprise SIEM with built-in analytics
- Microsoft Sentinel: Cloud-native SIEM
- Graylog: Open source log management
Free Tools for Log Analysis
- Log Parser: Microsoft tool for parsing various log formats
- GoAccess: Real-time web log analyzer
- Chainsaw: Windows event log analysis
- Loki: Log aggregation system by Grafana
- grep/awk/sed: Command-line tools for text processing
Basic Log Analysis Commands
- Network logs (firewall, server, router) are critical evidence in cyber crime investigation
- Firewall logs show allowed and blocked connections with source/destination details
- Web server logs record all HTTP requests including methods, URLs, and response codes
- Windows Event IDs like 4624 (logon), 4625 (failed logon), 4688 (process) are key for investigation
- Router logs and NetFlow provide network traffic flow information
- Anomaly detection involves identifying deviations from normal patterns
- Common IoCs include unusual traffic patterns, failed logins, and geographic anomalies
- SIEM tools like Splunk and ELK Stack help analyze large volumes of logs