Hello Tony, Saturday, July 06, 2002, 2:44:29 AM, you wrote: > hi all, > I have read the mailing list for a year.It is well-known that > log files is one of the importance of e-evidence in computer > forensics.But a few people focus on them. Let us discuss how to > collect,protect and parse the log files in different systems > including windows,IDS,firewall,applications etc.I appreciate any who > can provide suggestions,idea or paper. CERT has two really good papers on log file protection: http://www.cert.org/security-improvement/practices/p092.html http://www.cert.org/security-improvement/practices/p048.html Basically, what it boils down to is: 1. Use syslog (there are syslog daemons available for Windows machines). 2. Encrypt log functions. 3. Make the syslog server difficult to access -- use a serial line if possible, otherwise run some sort of firewall system (like ipfilter) on the firewall to control access. 4. Use a write once, read many (WORM) disk -- a CDR or Tape Drive, or configure the logs so that they can be appended to, but not overwritten (only some os'es support this). I'm sure there are a lot of things I am missing, but its a start :). allan -- allan allanat_private http://www.allan.org --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sat Jul 06 2002 - 11:50:15 PDT