Description: list of items to consider for network device forensic analysis

What to scrutinize

• Look at both inbound and outbound activities.

Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality:

• Traffic allowed on firewall: “Built … connection”, “access-list … permitted”

• Traffic blocked on firewall: “access-list … denied”, “deny inbound”, “Deny … by”

• Bytes transferred (large files?): “Teardown TCP connection … duration … bytes …”

• Bandwidth and protocol usage: “limit … exceeded”, “CPU utilization”

• Detected attack activity: “attack from”

• User account changes: “user added”, “user deleted”, “User priv level changed”

• Administrator access: “AAA user …”, “User … locked out”, “login failed”

Resources

• Critical Log Review Checklist for Security Incidents