Browse > Article
http://dx.doi.org/10.3745/JIPS.03.0162

A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stack  

Kim, Jisun (Igloo Security Inc.)
Jo, Eulhan (BidCoaching Research Institute)
Lee, Sungwon (Izerone Digital Forensics Company)
Cho, Taenam (Dept. of IT and Electronics Engineering, Woosuk University)
Publication Information
Journal of Information Processing Systems / v.17, no.4, 2021 , pp. 772-786 More about this Journal
Abstract
The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.
Keywords
Active Directory; Digital Forensics; Elastic Stack; Microsoft Windows Log; Security; Shared Folder;
Citations & Related Records
연도 인용수 순위
  • Reference
1 A. Nieto and R. Rios, "Cybersecurity profiles based on human-centric IoT devices," Human-centric Computing and Information Sciences, vol. 9, article no. 39, 2019. https://doi.org/10.1186/s13673-019-0200-y   DOI
2 P. K. Sharma, J. H. Ryu, K. Y. Park, J. H. Park, and J. H. Park, "Li-Fi based on security cloud framework for future IT environment," Human-centric Computing and Information Sciences, vol. 8, article no. 23, 2018. https://doi.org/10.1186/s13673-018-0146-5   DOI
3 ElasticSearch, "ELK Stack," 2021 [Online]. Available: https://www.elastic.co/what-is/elk-stack.
4 J. Park and J. Hyun, "Web artifacts visualization using ElasticSearch and Kibana," in Proceedings of the IEEK Summer Conference, 2019, pp. 1350-1353.
5 Y. Kim and T. Shon, "Cyber-threat detection of ICS using Sysmon and ELK," Journal of the Korea Institute of Information Security & Cryptology, vol. 29, no. 2, pp. 331-346, 2019.   DOI
6 B. H. Lee and D. M. Yang, "A security log analysis system using Logstash based on Apache Elasticsearch," Journal of the Korea Institute of Information and Communication Engineering, vol. 22, no. 2, pp. 382-389, 2018.   DOI
7 J. Kim, M. Kwak, S. Lee, and T. Cho, "File tracking technique with active directory event log," in Proceedings of the 14th KIPS International Conference on Ubiquitous Information Technologies and Applications, Macau, China, 2019.
8 J. Krause, Mastering Windows Server 2016. Birmingham, UK: Packt Publishing, 2016.
9 Microsoft, "Audit policy," 2017 [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy.
10 OpenText, "EnCase software," 2021 [Online]. Available: https://www.guidancesoftware.com.
11 Exterro Inc., "Forensic Toolkit (FTK)," 2021 [Online]. Available: https://www.exterro.com/forensic-toolkit.
12 Magnet Forensics, "AXIOM," 2021 [Online]. Available: https://www.magnetforensics.com.
13 CaTalk, "Top 7 PCs shared by world/domestic," 2020 [Online]. Available: http://catalk.kr/information/desktop-operating-systems.html.
14 G2 Inc., "Best Operating System," 2021 [Online]. Available: https://www.g2.com/categories/operating-system.
15 Z. Zhang, C. Wang, and X. Zhou, "A survey on passive image copy-move forgery detection," Journal of Information Processing Systems, vol. 14, no. 1, pp. 6-31, 2018.   DOI
16 C. Wang, H. Zhang, and X. Zhou, "LBP and DWT based fragile watermarking for image authentication," Journal of Information Processing Systems, vol. 14, no. 3, pp. 666-679, 2018.   DOI
17 Microsoft, "Active Directory Domain Services overview," 2017 [Online]. Available: https://docs.microsoft.com/ko-kr/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview.
18 Microsoft, "Advanced security audit policy settings," 2017 [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.
19 Microsoft, "Basic security audit policies," 2017 [Online]. Available: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies.
20 Microsoft, "5145(S, F): a network share object was checked to see whether client can be granted desired access," 2017 [Online]. Available: https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-5145.
21 J. Kim, M. Kwak, S. Lee, and T. Cho, "File tracking technique with active directory event log," in Proceedings of the 2020 World Congress on Information Technology Applications and Services, Seoul, Korea, 2020.
22 S. Persada, A. Oktavianto, B. Miraja, R. Nadlifatin, P. Belgiawan, and A. P. Redi, "Public perceptions of online learning in developing countries: a study using the ELK Stack for sentiment analysis on twitter," International Journal of Emerging Technologies in Learning (iJET), vol. 15, no. 9, pp. 94-109, 2020.   DOI
23 K. Kim and Y. Cho, "Multi-index approach to search Chinese, Japanese, and Korean text with Elasticsearch 6.6," Proceedings of International Conference on Future Information & Communication Engineering , vol. 11, no. 1, pp. 257-260, 2019.