Hello,
I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.
It seems it has been removed on purpose.
¿Is there any way to recover them?
I am using Autopsy software, and I can't find anything in removed files nor in Carved files…
Thanks in advance!
What kind of Linux system are you looking at? Is it from a standard computer system or is it an embedded device?
I ask as the /var/log location can be volatile, or other stuff may be going on. This is especially true of embedded devices such as routers and/or IoT devices. In these cases often the data either simply isn't there, or it is stored in a different part of the flash memory and mounted dynamically to the /var/log location.
Hello,
I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.!
benfindlay`s comment was good. Check fstab in /etc to see if /var/log is mounted on a mem drive. Query the mem drive drivers configuration. And RTFM for the Linux distro, if there really is no /var/log (which I do not believe), it should be documented.
regards,
Robin
I ask as the /var/log location can be volatile,
According to FHS, /var/log is mandatory. However, it need not be *the* place where logs are really kept it may only contain links to the actual files. (See https://
Thus, there is a technical possibility that it only contained symbolic links, and that all that may retrievable are those links. (Can't recall I've seen such a system, but … I have not verified such details for the past year or so.)
Add to that that if /var or /var/log is considered to be shareable, it could technically also be located remotely (if I read FHS correctly.) – that is, remotely mountable, not only locally.
FHS does not really apply for file systems where users don't have access, so those cases are special. And some distros don't follow FHS, in which case all this is nonsense.
That is, it looks very much like OP may have to show that there was indeed a /var/log present (and not just a symlink or mountpoint), before it is reasonable to think about recovering remains from a deletion, or draw conclusions based on the absence of it. But perhaps that part is already covered well enough.
Hi,
the forensic analysis of the images show several config files ponting to /var/log, which I can't seem to find.
However, maybe there is some way to carve in the deleted files and search for them. I don't know how to do this, though… (
…. several config files ponting to /var/log, which I can't seem to find.
However, maybe there is some way to carve in the deleted files and search for them. I don't know how to do this, though… (
In this case you can search for sym links according to https://
But to be honest…we are talking here about absolut basics. I really hope this case is not important and only of minor criticality.
regards,
Robin