NIT470, Advanced Log Analysis (ALA)
Who Should Attend:
Training is available to DoD and federal agents who will be required to
analyze network logs as part of an investigation.
Prerequisites:
TT110 (INCH), RT120 (CIRC), FT210 (WFE-E),NIT301 (NMC)
or FT215 (WFE-FTK),
And one of the following: IT250 (FISE), IT260 (FIWE) or IT270 (FILE)
Duration:
5 Days
Course Description:
Teaches advanced techniques for processing log files from common operating
systems and devices such as firewalls, intrusion detection systems, sniffers,
etc. Students learn how to effectively filter and search through a variety
of log formats and to extract data from them as required. Also includes
instruction for recognizing the signs of unauthorized activity within log
files and correlating any discovered events. Prospective students should
know the elements of network traffic and network protocols. {Mobile}
Objectives
- Search and filter text and binary logs
- Format log data
- Extract data from log files, including data transfers found in captured network traffic
- Identify the artifacts associated with the different stages of a network intrusion
Topics Covered
Intrusion Analysis
- Intrusion Methods
- The Scientific Method and Intrusion Analysis
- Observation Intrusion Related Activities and Generating a Hypothesis
- Predicting the Nature and Location of Intrusion Artifacts
- Using Log Analysis to Evaluate an Intrusion Hypothesis
- Forming a Conclusion and Reporting Findings
Log Analysis
- Overview, Log File Types and Formats
Analyzing Text Logs
- Filtering, Searching and Extracting Data from Text Logs
Formatting and Searching Binary Logs
- Command Line Tools
- GUI Tools
- Searching Binary Logs with an IDS
- Formatting Binary Log Elements
Extracting Data from Binary Logs
- Basic Data Extraction and Carving