±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35868
New Yesterday: 0 Visitors: 180

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

how to handle missing logs

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

afsfr
Member
 

how to handle missing logs

Post Posted: Oct 09, 18 09:27

we face a cybersecurity issue, root account got compromised, the secure, message log, rootsh log are deleted with log cleaner from Sep.2-Spet .9, in this case, can any forensic tech help in identify what are the activities of root do during Sep2--Sep.9?

or should we recover the deleted log files in linux? thanks  
 
  

MDCR
Senior Member
 

Re: how to handle missing logs

Post Posted: Oct 09, 18 09:45

- afsfr
can any forensic tech help in identify what are the activities of root do during Sep2--Sep.9?

or should we recover the deleted log files in linux? thanks


1) Yes, look for artifacts in the system for activity: Timestamps on the file system, Firewall logs, Cached data, Browser activity - stuff like that.
2) Do both. There is no guarantee that you will find a complete history. The more information that can make your story complete the better.

and

3) Set up some proper logging on a secured remote system with as little attack surface as possible - this is not brain surgery.  
 
  

afsfr
Member
 

Re: how to handle missing logs

Post Posted: Oct 09, 18 11:35

thanks, but the reality is IDS, firewall log, server log and all logs are all removed for that period.

my concern is the content of the log, so if i know MAC of timestamp, still little use, because i 'm tracking the attacker activity, the command he use, rootsh log and secure log are all cleaned with zero byte, but file name still there, so recover make no sense.

I try encase for two weeks but can't find any plugin or functionality can fix this and carve out the attacker activity during that period, also lateral movement also hard to detect ( because we don't have attacker ip and C&C IP).

any expert got experience for such kind of scenario (logs are cleaned by attacker) and your valuable suggestion will be appreciated.  
 

Page 1 of 1