Introduction to splunk
Splunk is an operational intelligence platform that is widely used by cybersecurity experts to monitor data in real time. This semester, the LCDI assembled the Splunk project team to determine the tool’s effectiveness in establishing timelines that would aid a digital forensic investigation. A forensic timeline is a critical piece of evidence that allows investigators to maintain a narrow scope by recording system events and their timestamps without having to peruse internal files, which can become a time consuming process. Therefore, if Splunk can be used correctly in this capacity, it can serve as a valuable investigative asset.
Our analysis was performed on both OS X and Windows 7 in order to determine which operating system produced more results in a forensic timeline. Since Splunk only allows the user to view metadata of the file system, however, there were very few discrepancies between the two OSs. We believe that if it were possible to view file contents or data past the file system, one of the operating systems might provide more information to a case.
Splunk was able to identify installation packages from software installed on the test machines. The following image is an excerpt from our Splunk report that shows a Microsoft installer package (.msi) for Skype within the file system of the Windows workstation:
This is the same package as found in the Mac. Since the operating system is different, the Skype installer comes in Apple disk image (.dmg) format:
Despite complications during the testing process, our analysis successfully addressed the Splunk project’s essential research questions. All results and procedures can be found in our final report, which can be viewed and downloaded HERE.