Firewall logs

There are plenty of firewalls you can encounter in a network infrastructure. Firewall logs can reveal a lot about an attack. I remember a case where a popular bank in Africa was siphoned off for $700,000, and the attackers were sitting inside the network for a long time before they executed the attack. After a thorough investigation to find the indicators of compromise and a root-cause analysis, firewall logs helped me out. I found that the checkpoint firewall logs had entries to a particular domain being contracted to by the planted backdoor. We ran a network-wide search on the firewall logs to find the first attempt to the domain and found out that the first attempt to the malicious attacker's site was at least three months before the date of the incident. However, since the computer making that connection was only connected to the internal network, we concluded that the attack was conducted by someone internally, which narrowed down the scope of our investigation to a handful of individuals.

Parsing firewall logs and driving analytics is a tough task for an investigator. Most of the intelligent firewalls today have their analytics engine. However, if you need a third-party log parser for firewall logs, Sawmill (http://www.sawmill.net) would be my choice, as it supports a variety of log formats. Here is an example of Palo Alto Network Firewall logs parsed by Sawmill:

We can see that we have a variety of options with the parsed logs:

We have options that include User Summary, Host Summary, Source IPs, Users, and Content. We can also view visited pages:

Sawmill is a paid product. However, you can download and use the trial version free for 30 days. In the upcoming chapters, we will have a look at creating our parsers. However, to conduct a network forensic operation professionally, Sawmill is recommended.