Domain 4
4.9 Investigation Data Sources
Use data sources to support an investigation.
0% Complete

Log data provides a chronological record of system activities and events, serving as the primary source for auditing, forensic analysis, and real-time threat detection.
Network and Infrastructure Logs - Firewall logs record traffic allowed or denied based on security rules, helping identify unauthorized access attempts or suspicious outbound connections to C2 servers. - IPS/IDS logs capture alerts regarding signature-matched threats or behavioral anomalies, providing critical forensic data on the "who, what, and when" of a network attack. - VPN logs track remote access sessions, including authentication successes, failures, and the source IP addresses of remote users.
Operating System and Endpoint Logs - OS logs (such as Windows Event Viewer or Linux Syslog) document system-level events like service restarts, driver failures, and kernel errors. - Authentication logs track logon/logoff activity; frequent failures are a primary "trigger word" for identifying Brute-Force or Credential Stuffing attacks. - Application logs record specific events within software, such as database queries, file modifications, or web server errors (e.g., HTTP 404 or 500 errors).
Data Responsibilities and Compliance - Data Owner is the entity, usually the organization, that holds legal rights (copyrights/trademarks) and delegates management tasks. - Data Controller (GDPR) determines the "why and how" of PII processing and ensures overall regulatory compliance. - Data Processor (GDPR) handles data solely on behalf of the controller. - Data Custodian manages the technical environment, including backups, encryption, and the integrity of the logs themselves.
Data States and Sensitivity - Data in Use refers to information in RAM or CPU caches; it is vulnerable to shoulder surfing and keyloggers. - Data Classifications (e.g., Public, Private, Proprietary) determine the level of log granularity required; highly sensitive data (High Impact) requires more stringent auditing. - NIST FIPS 199 provides a framework for classifying data based on the potential impact to Confidentiality, Integrity, and Availability (CIA triad).
Quick recall - SIEM: A tool that centralizes logs from firewalls, endpoints, and apps for correlation. - Firewall Deny: Look here first for evidence of a blocked reconnaissance scan. - Authentication Failure: The primary log indicator for account-based attacks. - Data Custodian: The person responsible for the actual maintenance and security of log storage. - Shoulder Surfing: A physical threat specifically targeting Data in Use.