The Role of Firewall Logs in Forensic Analysis and Incident Response
Sanctuary Wealth accounts of Sanjay Seth, PJ Networks Pvt Ltd
It’s three in the afternoon, third coffee of the day—and I’m thinking hard about firewall logs again. You may groan, but in reality, firewall logs are the unsung heroes in cybersecurity. Done that, since the early 2000s (before that, a jaded network admin since 1993, where we dealt with PSTN muxes, voice/data overlays — oh those were the days! While the raw teardown ability here in those logs for breaking down dormancy was something every security pro should admire.
This is Sanjay Seth, founder of PJ Networks Pvt Ltd — a jump from helping banks redesign their zero-trust architectures (an uphill climb, that one but exciting). Just returned from DefCon, still high from the hardware hacking village — that’s a tale for another day. Today I am going to tackle firewall logs in post incident forensics and why you cannot afford to miss them.
Quick Take
Topics in this post only while we dive into the trench warfare of log analysis, but here’s the summary for you busy people:
- In incident investigations, the truth comes from Firewall logs.
- They aid in determining when, where and how an attack occurred — helpful for root cause analysis.
- It makes tracking timelines and attack paths much cleaner.
- Properly preserved logs support legal cases and compliance audits.
- The logs provide a frame for your future defenses.
Okay, enough with the tease. Let’s rip into the details.
Logs for Root Cause Analysis
Root cause analysis (RCA)—it may sound fancy, but it’s really detective work. When you realize how the attacker got in, or what did not work on your end.
Very likely, firewall logs are their primary evidence in this digital whodunit. It’s time for a reality check—when the Slammer worm struck in the early 2000s, we didn’t have snazzy AI dashboards or deep packet inspection on steroids. All pure logs, and a lot of coffee. Those logs revealed traffic patterns that shouted “something’s not right here” — huge increases in UDP packets aimed at port 1434.
Why logs are important for RCA:
- They list all incoming/outgoing connections your firewall handled (or hindered).
- So a strike might include:
- Timestamps (sometimes down to the millisecond!)
- Display the source and destination IPs and ports—your attacker’s digital fingerprints.
- Mark abnormal usages of protocol or abnormal connection attempts.
I worked once on a breach that could also find some bits of your story, where a misconfigured firewall allowed SSH tunnels from a partner network into our DMZ. Firewall logs revealed it to be a slow-drip attack over weeks — which not only helped us patch the hole but understand the attacker’s strategy of patience.
The problem is without proper logs RCA is guesswork. And guesswork in cybersecurity typically equates to more breaches just waiting to happen.
Tracking Attack Timelines
Attack timelines are like plotlines in a thriller — if you know the precise moment each part occurred, you have insight into an attacker’s behavior and your response gaps.
Firewall logs also get timestamps and, when correlated with other logs (e.g., IDS/IPS, servers, endpoint alerts), you start to build a timeline. At PJ Networks, during a recent series of upgrades for those three Banks, extracting detailed time line granularities from firewall logs uncovered attacker recon activities days ahead of the successful breach. This armed banks with visibility to shrink monitoring windows and decrease incident response times.
If you’re asking “Timelines? Sounds simple.” —good luck piecing together a manual one on a fracked network without good log timestamps. Yeah, it feels like building IKEA furniture without the dock.
A few pro-tips for timelines:
- Setting firewalls clocks using NTP and no time drift.
- Orchestrate logs across all firewalls and security appliances.
- Use SIEM tools; just remember to validate their outputs against raw logs. Automated stuff tends to overlook nuanced signs.
Identifying the Attack Path
Attackers did not break through your fire wall in the hot knife through butter approach. They sidle, spinning and circling within your network, finding weak points, pilfered logins.
Firewall logs can be used to map the attack path — the timeline of the attack, from initial compromise to data exfiltrated or system controlled. Here is where deep packet inspection logs and connection histories can be useful. There was this one line that really struck me similar to the one above in the ‘before’ chapter. I remember one particular breach that I worked on where an attacker had gained initial access through a VPN endpoint (logged in firewall) and from there proceeded to do lateral movement exploits on various internal subnets. Can you imagine if all those movements were not visible on the firewall logs?
By pinpointing these steps:
- You determine what sections of your network were affected or susceptible.
- Combating Pivot Attempts — Detect Pivot Attempts — Detect unusual traffic patterns that indicate pivot attempts
- Expose insider threat activities or compromised endpoints.
And actually some make light of this. “Firewall logs concern only external threats,” they say. Nope. Internal traffic logs can reveal insiders siphoning data or malware phoning home.
Maintain the Logs for Legal Use
Here’s where the rubber hits the road. The point of post-incident forensics isn’t simply to solve problems, it’s to make a case. Courts, regulators, auditors — they want evidence. When properly retained, firewall logs can provide evidence of breaches, adversary activity, and the response of your organization that cannot be contested.
A clear misunderstanding is that logs from a month ago can be thrown away. Wrong. At PJ Networks, we constantly advise clients:
- Use WORM storage, for example, for retentive, tamper-evident logs.
- Keep logs for at least 1 year, which is in compliance with some industry regulations (others require even more).
- Use cryptographic hash function to protect logs from being altered.
I cannot emphasize this enough — if you lose or alter logs, it weakens your legal advantage and can cause fines or worse. A financial entity had logs stored incorrectly so that the investigators had to wait on other data sources, taking months and causing frustration.
Strengthening Future Defenses
And finally, the reality is these logs are the basis for continuous improvement of security. You’ll see patterns—stubborn probing, repeated exploits, or even new, unknown tactics. This information should flow back into:
- Firewall Ruleset Adjustment.
- Enhancements of zero-trust architecture (such as the recent work I did for those banks).
- Realistic timelines and tech in incident response playbooks.
- User awareness training, particularly where logs indicate standard phishing credential abuse vectors.
Consider the analogy—firewall logs are like the black box of your network car. Post-incident forensics is the airline crash investigation that results in better brakes, better tires or perhaps seatbelt laws. You don’t want to be driving blind.
An unpopular opinion: Too many organizations buy flashy AI-powered security solutions but don’t bother with essentials like good log analysis and retention. AI can help — of course — but it takes a back seat to basic, hands-on log review and expert judgment.
Final Thoughts
Firewall logs aren’t sexy. They don’t make the headlines the way ransomware or zero-day exploits do. But in the real dusty trenches of cybersecurity — where I’ve toiled for two decades — they’re your best buddy and your truth-teller.
Back when I first started doing network admin stuff in 1993, when dial-up modems were still the kings and PSTN was still the backbone—security was literally about physical guard dogs and locked cabinets. Now there’s a log, a digital trail to follow, and it’s up to us to know how to read it.
If protecting your business and understanding breach is a real goal, put at least some resources into your logging infrastructure, protect your logging stores, and get used to wading in them.
Stay sharp. Stay caffeinated. And please do not underestimate the action potential of a well-cared firewall log.
— Sanjay Seth, PJ Networks Pvt Ltd
Cybersecurity consultant, firewall hawk, coffee addict