Where are the discussions on analyzing logs in DFIR?

It’s funny how much (or rather, little) is talked about in DFIR circles about analyzing logs before/during an incident.

While it is really sexy (oh yeah!) to be able to dig out stuff from a computer that Joe or that pesky malware writer tried to hide, responding to incidents requires information to be surfaced as much and fast as possible in order to solve the mystery and contain the damage. And for organization-scale incidents, one great source of information would be the logs generated from the various endpoints/perimeter devices.

So far there’s the area of SIEMs and logs management, where we get the heavyweights like Anton Chuvakin. The closest could perhaps be SANS’ network forensics course offerings, but the coverage is glancing at best. But looking for discussions in terms of analyzing logs specifically for DFIR, zilch. Perhaps I’m looking at the wrong areas, if so do let me know šŸ˜€

As with many security-related domains, the more an area is publicly shared, researched and discussed, the more the good guys stand to gain. The flip side argument being that the bad guys are reading the same stuff too, but that’s another topic to be visited another time.

Till then, will share whatever I can about this area that I’ve learnt so far. It’s really a curious monster in itself amongst DFIR efforts.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s