Note: Although this was created some time back (sorry for sharing this so late), there’re improvements to be made still. Discussions are always welcomed.
When responding to an enterprise network compromise, one big question (and source of pressure) is that network IOCs need to be determined quickly. While this information would usually come from the malwares/tools used in the compromise, the fact that the surfacing of network IOCs and triaging being done in parallel presents a Catch-22 situation: How do we find machines and malware without network IOCs available? How do we get network IOCs without analyzing any machines/malware suspects?
Quoting from Anton Chuvakin’s slides in his presentation in 2006 at FIRST:
Log analysis is (the) trying to make sense of system and network logs.
Computer forensics is (the) application of the scientific method to digital media in order to establish factual information for judicial review.
Log forensics is (the) trying to make sense of system and network logs, in order to establish factual information for judicial review.
Makes sense, maybe I’ve been googling for the wrong keywords all this time! Till of late, I’ve been looking at this field largely from a data mining viewpoint.
In the course of your logs or text processing, you may come across certain timestamps in epoch format. Whilst there’s always online resources to assist with the conversion of such timestamps, it may not be the best way if you need to keep the timestamp “secret” during then, or if you have many timestamps to convert going by the thousands, millions, etc.
Whilst there’s always free tools like Splunk which is available for free to the masses (and yes, it does automatically convert epoch timestamps for you), there’s always our “humble” awk.