SDF: Pivot Tables for Forensics

Key records found in weblogs

Common formatting to interpret weblogs

How to understand HTTP response codes

This module goes over examples of common HTTP response codes.

How to understand HTTP request methods

Background to the training scenario which closely aligns to real DFIR practices

Section overview and what you will learn.

In the section we will be using Microsoft Excel's data import feature to add our evidence to an Excel spreadsheet

There will be times when further refinement is necessary. In our scenario we have three pieces of evidence combined into one column. We will use Excel's "text to column" feature to break these out into individual columns.

After our data is imported into a spreadsheet, we need to put the proper headers on the columns as well as format the data as a table

As a final check each column is inspected. In our scenario we have some unwanted data that we want to get rid of.

Overview of what you learn in the section

To start, we will create a simple pivot table based on request method

Here we will start to harness the true power of pivot tables by building one that shows the relationship between request methods and response codes

Here we build a pivot table that shows the relationship between user agents and response codes

URIs often provide excellent insight for triage purposes. Here we will build pivot tables looking for other variables associated with website resources 

Here we will build pivot tables looking at the relationship between refer records and other weblog records

Here we will pivot off of the IP ( remote host) records to determine which IPs have notable relationships

Now that we have identified our investigative leads. Here is the specific records our leads identify. Included is a walk-through of the attacker method to further understand the value of using pivot tables

A review of the forensic value of pivot tables

Check out the podcast at digitalforensicsurvivalpodcast.com