Network Event Logs: Painting a Broader Picture

Digital forensics is a vital facet of most fraud examinations today. In certain cases, network event logs will yield more evidence contained within the trail of information left by a user’s online activity than any other technical resource.

Whether we’re analyzing the contents of a hard drive, removable media, or mobile device, electronic evidence provides the fraud examiner with a broader picture of events. (Be sure to work with a certified digital forensics examiner to ensure you won’t nullify or spoil any evidence.)

NETWORK EVENT LOGS 

Network event logs track a user’s Internet activities, such as visited Web sites, communications, and e-mailed documents. Two key pieces of digital information – the timestamp and the Internet Protocol (IP) address – will help the fraud examiner tie events together.

Timestamps on individual log entries denote the time at which the device’s logging system recorded the event. It’s critical to make sure the clock in the system generating the log is synchronized to a centralized time server. Most internal time servers use the Network Time Protocol or a variant of it. Any deviance in time might lead to incorrect assumptions.

An IP address, a unique numeric identifier assigned to devices and systems participating in a network, can be either public or private, and dynamically or statically assigned. A unique public IP address must be assigned to every computer or device that connects to the Internet. But, in certain cases, it might be unpractical and unnecessary to assign a public IP address to computers on a corporate or home network.

The Internet Engineering Task Force initially created these private addresses because of the shortage of publicly available IP addresses. Any organization can use them for their internal networks because a central body doesn’t globally assign them. However, the addresses won’t be routable over the Internet. This means organizations using private IP addresses for their internal networks will have to use proxy servers or Network Address Translation (NAT) gateways to connect their computers to the Internet.

A NAT is a way to map an entire network or networks to a single public IP address. It’s especially useful when the number of public IP addresses assigned to a company is fewer than the number of computers and devices that require access to the Web.

IP addresses can be static or dynamic. Static IP addresses are manually assigned to servers, systems, or devices to be their permanent addresses. Workstations generally will receive their addresses from a pool maintained by a Dynamic Host Configuration Protocol (DHCP) server. DHCP servers are internal to the organization and assign IP addresses based on requests received from workstations when they connect to the network.

Dynamic IP addresses assigned by a DHCP might be constant over a long period of time, but they can change. Companies with DHCP servers should keep detailed records of which workstations the IP addresses were assigned to and when. A discussion with a trusted member of the IT department should help you determine how the IP addresses are assigned within the organization.

SOURCES OF BROWSING ACTIVITY 

Proxy servers, located on corporate networks, act as relays between internal networks and the Internet. Often, they’re used to accelerate the delivery of Web content, reduce the required bandwidth (which can help lower Internet access charges), and filter objectionable content.

If properly configured, these servers will log all user activity, including the IP address that makes the request, the time of the request, and the requested URL for all connection attempts. The following illustrates some of the relevant evidence that can be pulled from Web proxy logs:

• Searches: Queries made using search engines can provide valuable information to the fraud examiner. Searches indicative of fraudulent activity can include: “How to erase online activity,” “How to forge a check,” and “Fake pay stubs.”
• Downloaded software: The user might have downloaded encryption software, time-wasting games software, etc.
• Visited Web sites: A review of Web sites visited by fraud suspects can reveal their interests and hobbies, which can help the fraud examiner build rapport during interviews.
• Web-based e-mail: Web proxy logs reveal if a user has been using any form of Web-based e-mail, which could indicate to the examiner that the individual’s computer should be searched.

FIREWALLS CAN BE USED TO FIND EVIDENCE 

Firewalls enforce an access control policy for traffic flowing among networks. A firewall policy determines which “packets” – formatted blocks of data carried by a network – can flow in and out of each network segment by examining such information as origination or destination IP address, communication protocol, etc.

The most effective firewall policy is designed to restrict all traffic except that which is expressly permitted. Firewalls act like a choke point between the corporate network and the Internet. A fraud examiner can use firewalls to obtain:

• Communication flows: Firewalls will log extremely large amounts of data. They should, at a minimum, log the timestamp of the connection attempt; determine if it was accepted or denied; and store key packet information like the protocol, the source, and destination IP address, plus the source and destination port.
• Identifying sources of attack: We can identify the source of a network break-in by examining firewall logs. However, keep in mind that the source might be another compromised computer the hacker is using to “launder” the true source of his connection. In other words, the hacker will use a number of jump-off points to hide where he is located to make tracking much more difficult.
• Online activity: If a proxy isn’t present, the fraud examiner might be able to determine what sites the user visited by examining outbound communications to Web sites.

ACCESS CONTROL LOGS 

We can examine access control logs for a variety of systems and devices, be it for network logins, remote access, applications such as ERPs, etc. Minimally, access control logs should provide investigators with:

• Workstation access: Which user was logged in and at what time?
• Application access: Where did the user login from? What did he access? Were there multiple denied accesses?
• Remote access: Did the user login during a vacation? The evening? On weekends?

TAKING IT FROM HERE 

We can draw from the wealth of information captured in network event logs when conducting fraud examinations. In today’s high-tech environment, we can discover user activity by examining logs from sources such as e-mail servers and intrusion detection systems like firewalls.

NEXT ISSUE  

In the next column, we’ll examine SQL injection attacks, which hackers use to steal sensitive information and turn computers into obedient “bots” to attack other computers.

Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte’s Forensic & Dispute Services practice in Montreal, Canada. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.