Join Us!

how to handle missi...
 
Notifications
Clear all

how to handle missing logs  

  RSS
afsfr
(@afsfr)
Junior Member

we face a cybersecurity issue, root account got compromised, the secure, message log, rootsh log are deleted with log cleaner from Sep.2-Spet .9, in this case, can any forensic tech help in identify what are the activities of root do during Sep2–Sep.9?

or should we recover the deleted log files in linux? thanks

Quote
Posted : 09/10/2018 10:27 am
MDCR
 MDCR
(@mdcr)
Active Member

can any forensic tech help in identify what are the activities of root do during Sep2–Sep.9?

or should we recover the deleted log files in linux? thanks

1) Yes, look for artifacts in the system for activity Timestamps on the file system, Firewall logs, Cached data, Browser activity - stuff like that.
2) Do both. There is no guarantee that you will find a complete history. The more information that can make your story complete the better.

and

3) Set up some proper logging on a secured remote system with as little attack surface as possible - this is not brain surgery.

ReplyQuote
Posted : 09/10/2018 10:45 am
afsfr
(@afsfr)
Junior Member

thanks, but the reality is IDS, firewall log, server log and all logs are all removed for that period.

my concern is the content of the log, so if i know MAC of timestamp, still little use, because i 'm tracking the attacker activity, the command he use, rootsh log and secure log are all cleaned with zero byte, but file name still there, so recover make no sense.

I try encase for two weeks but can't find any plugin or functionality can fix this and carve out the attacker activity during that period, also lateral movement also hard to detect ( because we don't have attacker ip and C&C IP).

any expert got experience for such kind of scenario (logs are cleaned by attacker) and your valuable suggestion will be appreciated.

ReplyQuote
Posted : 09/10/2018 12:35 pm
Share: