Domain 4 of 5 · Chapter 9 of 9

Investigation Data Sources

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • What logs are, and what each log type proves
  • Network sources: logs, flow metadata, and packet captures
  • Correlation, timelines, and the order of volatility
  • Exam-pattern recognition for investigation data sources

Which source answers which investigative question

Data sourceWhat it natively recordsInvestigation use
Firewall / router logsAllowed/denied connections: source & destination IP, port, protocol, timestamp (no payload)Prove perimeter allow/deny; pivot on a source IP to find related attempts
OS security logsSystem events + audit records: logons, privilege use, account changes, file access on one hostConfirm activity on a specific host after a sensor flags it
Endpoint logs (AV/EDR)Detected malware, quarantine/clean actions, scan history, host process behaviorShow what executed on an endpoint and what the agent did about it
Application logsClient requests/responses, authenticated user, which records/transactions touchedAttribute an in-app action to a user; reconstruct request sequence
IPS/IDS logsSuspicious events with intent: attack type, targeted vulnerability, success/failureIdentify the kind of attack and whether it landed
Network logs / flow metadataWho-talked-to-whom-and-how-much: IPs, ports, protocol, byte/packet countsBaseline volume; spot beaconing or exfiltration spikes
Packet capturesFull packet content (the payload itself)Prove the actual data or command sent; deep protocol analysis
Vulnerability scansMissing patches and misconfigurations per host, scored against a baselineEstablish the weakness an attacker may have used
Automated reports / dashboardsAggregated, summarized metrics and findings over timeSee trends and the normal baseline an incident deviates from
MetadataDescriptive data about other records: timestamps, file/email headers, geolocationTie sources together and order events on a common timeline

Decision tree

Network-wire question or host/app question? Network / wire Host / application Need the actual payload sent? Yes, content No, metadata Packet capture payload; short retention Need attack intent (type, success)? Yes No, just allow/deny IPS/IDS log attack type + outcome Firewall / router log allow/deny + IP/port (no payload) In-app user action, or host activity? In-app action Host event Application log user + record/transaction OS / endpoint logon, process, file access Always: correlate sources on synchronized timestamps collect most-volatile evidence first; distrust a compromised host's own logs

Cheat sheet

  • Objective 4.9 is source selection, not tooling
  • Firewall and router logs prove allow/deny, never the payload
  • Packet capture is the only source that holds the payload
  • Flow data shows who and how much; only capture shows what
  • IPS/IDS logs add intent: attack type and outcome
  • IPS logs also record the prevention action taken
  • OS logs split into system events and audit records
  • OS-specific logs: Windows proprietary format vs. Linux syslog
  • Endpoint (AV/EDR) logs show what ran and what the agent did
  • Application logs attribute in-app actions to a user
  • Web proxy and NAT logs de-anonymize a shared public IP
  • Remote-access (VPN) logs capture origin and authenticated user
  • A vulnerability scan shows the weakness, not that it was used
  • Dashboards and reports give the trend, not the single event
  • Lead with the primary source, then corroborate with secondary
  • Timestamps are the join key: clocks must be synced first
  • Distrust a compromised host's own logs
  • Read NetFlow patterns as deviations from baseline

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. CompTIA Security+ (SY0-701) certification and exam objectives
  2. Guide to Computer Security Log Management (SP 800-92) Whitepaper
  3. Guide to Integrating Forensic Techniques into Incident Response (SP 800-86) Whitepaper