System Log Analysis & Forensic Investigation

PBQ 5: Digital Forensics & Log Analysis

Scenario
Forensic Investigation

You are a security analyst investigating suspicious activity on your network. Multiple systems have reported anomalies, and you need to analyze system logs, security logs, and firewall logs to determine: 1. **What type of attack occurred?** 2. **Which user account was compromised?** 3. **What was the attack vector (initial access method)?** 4. **Which system was Patient Zero?** 5. **What remediation steps should be taken?** Your organization uses Windows servers with standard logging enabled. The Security Operations Center (SOC) has collected logs from multiple sources spanning a 24-hour period. Analyze the logs carefully to identify the attack timeline, tactics, and indicators of compromise (IOCs).

Instructions: Review all log entries from different systems and sources. Answer each question based on your forensic analysis of the logs. Pay attention to timestamps, user accounts, source IPs, and process behaviors.

System Logs (17 entries)
Click on a log entry to view details
Application
Info
2024-01-15 08:45:12 | WEB-SRV-01
IIS: GET /login.php - 200 OK
Source IP: 203.0.113.45
Application
Warning
2024-01-15 09:23:41 | WEB-SRV-01
IIS: Multiple failed login attempts detected
Source IP: 203.0.113.45
Security
Warning
2024-01-15 09:24:15 | WEB-SRV-01
Account lockout: admin after 10 failed attempts
User: admin
Application
Info
2024-01-15 09:31:22 | WEB-SRV-01
IIS: POST /upload.php - SQL injection attempt blocked by WAF
Source IP: 203.0.113.45
Security
Critical
2024-01-15 10:15:33 | WEB-SRV-01
Successful login: jdavis from 203.0.113.45
User: jdavis
Source IP: 203.0.113.45
Application
Warning
2024-01-15 10:16:01 | WEB-SRV-01
Unusual file upload: cmd.php (detected web shell patterns)
User: jdavis
System
Error
2024-01-15 10:16:45 | WEB-SRV-01
Process created: cmd.exe (PID: 3344) by w3wp.exe
Firewall
Info
2024-01-15 10:17:12 | FIREWALL-01
Allowed: 10.0.10.50 -> 192.168.10.100:445 (SMB)
Source IP: 10.0.10.50
Firewall
Warning
2024-01-15 10:17:45 | FIREWALL-01
Port scan detected: 10.0.10.50 scanning 192.168.10.0/24
Source IP: 10.0.10.50
Security
Critical
2024-01-15 10:18:33 | DB-SRV-02
Failed login attempt: Administrator from 10.0.10.50
Source IP: 10.0.10.50
Security
Critical
2024-01-15 10:19:41 | DB-SRV-02
Successful login: svc_backup from 10.0.10.50 using NTLM
User: svc_backup
Source IP: 10.0.10.50
System
Warning
2024-01-15 10:20:15 | DB-SRV-02
Scheduled task created: SystemUpdate by svc_backup
User: svc_backup
Application
Error
2024-01-15 10:21:02 | DB-SRV-02
SQL Server: Unusual query - SELECT * FROM users; Data exfiltration suspected
Security
Critical
2024-01-15 10:22:18 | DC-01
LSASS memory access by unknown process (mimikatz.exe)
Security
Critical
2024-01-15 10:22:45 | DC-01
Domain Admin credential access: KRBTGT hash requested
User: svc_backup
System
Critical
2024-01-15 10:25:33 | WEB-SRV-01
Registry modification: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Persistence established
Application
Error
2024-01-15 10:26:12 | WEB-SRV-01
Windows Defender: Real-time protection disabled by administrator
Forensic Analysis Questions
Answer based on your log analysis