31
Deductive Reasoning
• Example:
•Get initial readout from any available monitoring system and witnesses
–Check system resources
–Check network usage
–Examine the log files
–
•Track attackers source IP -  see if originated from certain ISP, then…
•
•Look for additional attacks in this ISP’s IP range
Putting the pieces together to understand
the bigger picture
Prior to looking into what was done against the application, you first have to identify it.  This means you need to take a good look around the logs of the various components of the network and application to try and identify any behavior that fall outside of the norm and may be a hacking attempt.

Check the system resources: memory usage, CPU consumption, process tables, disk space, log size, checksums and file time stamps, unusual temp files.
Check network usage: firewall, network load, increase usage from one or several sources.
Examine the log files: system, application, network, web.