Anton Chuvakin - Logs for Incident Response

Time: 4h


The workshop will cover the use of various system, network and security logs and audit trails in the incident response process, from methodology to practical case studies and tools. It will touch upon incident response practices and the role of logs in them, using logs for forensics and e-discovery as well as for pre-incident threat detection. The presentation will include several detailed case studies.

Here is the brief summary:
- Brief incident response process overview
- Relationship between incident response and forensics
- Logs: what are they and what are they for?
- Log use at various stages of the response process: from incident detection to lessons learned
- Use of logs from various sources (firewall, IDS, system, application, etc) during incident response
- Log review and monitoring processes
- Routine log review
- In-depth log analysis and log mining for incident recognition
- Log evidence integrity and US DoJ legal challenges
- Raw vs parsed/tokenized logs as evidence
- Practical scenarios
- Conclusions