I was talking to one of our Sales Engineers, Bert Hayes, the other day about using Splunk for computer forensics. Bert formerly was a Splunk customer at a large university in the southern U.S. where he used Splunk for security….he really knows his stuff in this area. Anyhow, Bert mentioned to me how he used to use Splunk for computer forensics and pointed me to a great blog that he found helpful on the topic. I found the blog post to be a great read and wanted to share it.
The blog is courtesy of Klein & Co, experts in computer forensics. In the posting they detail how to use Splunk to build a computer forensic timeline for analysis. The link to their blog posting is:
http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking
Basically you use Sleuthkit and log2timeline (free tools) to extract file system and other temporal data from the computer in question as CSV files. Within these CSVs are the information needed to reconstruct the system and user activities on a computer. You then Splunk the CSVs. On the posting, Klein & Co. even give you the props.conf and transforms.conf you can leverage to facilitate getting the data into Splunk with proper field extractions.
At this point, Splunk can build a detailed timeline of all the actions on the machine. You can then easily run Splunk searches to answer questions like: What files did the user access in a certain time period? What files did the user put in the Recycle Bin during a certain time period? Did the user attach a file to a webmail message? As Klein & Co. puts it, the searches you can run are “really up to your creativity and your understanding of the underlying data.” Well put!
Anyhow, please read their posting for more detail, and happy Splunking for Security!
Joe