User and Device Tracking in Private Networks by Correlating Logs: A System for Responsive Forensic Analysis

IP address of a device, from where an offending activity was performed, is of limited value, because it does not specify a physical device/user, but an endpoint in network. It is useful to have information about where a device/user was at the time the offending activity was performed. It would be desirable to correlate different pieces of evidence to discover information, such as IP addresses used by the same device, physical address and location of the device, connection time of the device, browsing habits and mail access transactions carried out by the user using the device. Log data from various sources are required to be correlated together to create contexts of information, which is not visible from one source alone. In large networks, users/devices accessing a private network repeatedly can be tracked by analyzing and correlating DHCP, Network Access Control, WWW, Email server logs. With huge amount of logs, the common approach of manual browsing, correlating of log events, based on timelines is tedious, unresponsive approach. Flat file based sequential search system is not responsive, hence RDBMS based tracking systems are desirable. To build a responsive system requires identifying, consolidating log files, conversion, transmission and storage into relational databases. An automated system has been developed at our organization for forensic analysis of network accesses, with device and user tracking as its goal. We present, our approach to perform log management, correlation, which assists in performing responsive forensic analysis of real network with more than 2500 nodes, aimed at tracking users/devices.