Maintaining Credible IIS Log Files
Many network administrators by now have encountered serious Web server intrusions that have resulted in legal action. Often IIS logs are the primary evidence used to track down Web intruders. But what would happen if the credibility of your IIS logs was challenged in court? What if the defense claimed the logs were not reliable enough to be admissible as evidence?
I once investigated a serious intrusion as part of a criminal investigation. An intruder broke into an IIS server, uploaded some tools, and then accessed the company's internal database. We knew approximately when the intrusion occurred, but we did not know which of several hundred Web sites on a dozen servers was compromised.
As I mined through hundreds of log files stored on the Web servers, I came across one log file that had, among the thousands of log entries, a single blank line. I checked the last modified date of that file and found that it had been modified two days after the log file was closed. Hundreds of megabytes of log file evidence suddenly became useless due to a single blank line. Because the log files were stored on the same server that was compromised, the intruder could have easily removed evidence or, worse, replaced it with false evidence pointing to someone else. The modification of one log file is compelling reason to question the validity of every log file on that server.
Proving that your log files are credible requires that you provide convincing arguments that they are trustworthy and therefore valid as evidence. You must take measures to protect the accuracy, authenticity, and accessibility of your IIS log files. Although there are many legal complexities and you should always seek your own legal advice in these cases, below are some tips that should increase the credibility of your IIS logs.
[ Read more ]