The purpose of this program is quite simple: improve the forensics disponibility in case of a break-in in order to better determine the actions of the attacker. Forensics is a whole ball game in itself in security. It requires a good understanding of the systems involved, and experience of attacks usually made helps in focusing on the important things. Forensics is all about figuring out what has happened on a computer system (or network) after an intrusion has been done. To do this, all the information available is crucial: firewall logs, IDS logs (if any), system logs, volatile information on the systems (what processes are running in memory, ...), complete bit-by-bit disk image. All of this in order to try to understand what has happened, but on top of it, one must make sure not to alter this data by manipulating it, considering that the attacker may have gone through great efforts to hide his traces.
ComLog will not solve all the problems computer forensics face today. But it will help greatly in reducing the time necessary to understand the scope of an attack if the intruder made his attack via the command prompt. Instead of trying to reverse-engineer the attackers tool or to look for modified signature files to determine the actions of the attacker, one will only have to check these logs to determine what commands were typed by the attacker. By storing centrally the history files of the command prompts on your network, along with your antivirus log files and maybe even personal firewall log files (for more details on this, read "Securing the Microsoft internal network"), you improve your knowledge about the kind of activity that is going on on your machines. And it gives you the chance to act wisely before it is too late.
1. Introduction
3. How it works
Table of contents