It’s funny how much (or rather, little) is talked about in DFIR circles about analyzing logs before/during an incident.
While it is really sexy (oh yeah!) to be able to dig out stuff from a computer that Joe or that pesky malware writer tried to hide, responding to incidents requires information to be surfaced as much and fast as possible in order to solve the mystery and contain the damage. And for organization-scale incidents, one great source of information would be the logs generated from the various endpoints/perimeter devices.
So far there’s the area of SIEMs and logs management, where we get the heavyweights like Anton Chuvakin. The closest could perhaps be SANS’ network forensics course offerings, but the coverage is glancing at best. But looking for discussions in terms of analyzing logs specifically for DFIR, zilch. Perhaps I’m looking at the wrong areas, if so do let me know 😀
As with many security-related domains, the more an area is publicly shared, researched and discussed, the more the good guys stand to gain. The flip side argument being that the bad guys are reading the same stuff too, but that’s another topic to be visited another time.
Till then, will share whatever I can about this area that I’ve learnt so far. It’s really a curious monster in itself amongst DFIR efforts.