GETTING LOG FILES
Unlike Windows, Linux still uses plain text log files in many cases. These logs can usually be found in the /var/log directory. Some are found in this directory while others are located in subdirectories. Most logs will have a .log extension or no extension. It is common practice to save several older versions of certain logs. These archived logs have the same base filename, but .n, where n is a positive number, added. Some of the older logs are also compressed with gzip giving them a .gz extension as well. For example, if the log file is named “my.log” the most recent archive might be “my.log.1” and older archives named “my.log.2.gz”, “my.log.3.gz”, etc.
The script below will use the find utility to retrieve current log files from the subject system and send them to the forensics workstation. If after examining the current logs you determine they don’t cover a relevant time period for your investigation (which usually means they should have called you much earlier) you can easily use the send-file.sh script presented earlier to send whatever additional logs you deem necessary. Of course, if you have made the decision to perform a dead analysis you are likely better off just waiting to look at these later as the tools available for dead analysis make this much easier.
send-logfiles.sh
#
Simple script to send all logs as part of # initial live incident response.
Warning: This script might take a long time to run! # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com. usage () { echo “usage: $0 “ echo “Simple script to send log files to a log listener” exit 1
}
if [ $# -gt 0 ] ; then usage fi # find only files, exclude files with numbers as they are old logs # execute echo, cat, and echo for all files found send-log.sh find /var/log -type f -regextype posix-extended \
-regex ‘/var/log/[a-zA-Z.]+(/[a-zA-Z.]+)*’ \
-exec echo -e “–dumping logfile {} –\n” \; \
-exec cat {} \; -exec echo -e “–end of dump for logfile {} –\n” \;
This script uses the same elements as the previous bash history grabbing script with one exception. There is something new in the regular expression. Parentheses have been used to group things together in order to apply the * quantifier (zero or more). If we break the regular expression into three parts it is easier to understand.
The first part “/var/log/” matches the literal string that is the normal directory where log files can be found. The second chunk “[a-zA-Z.]+” matches one or more letters or a period. This will match any current log files or directories while excluding archived logs (because numbers are not included in the square brackets). The final portion “(/[a-zAZ.]+)” is the same as the second chunk, but it is enclosed in parentheses and followed by . This grouping causes the * quantifier (zero or more) to be applied to everything in the parentheses. The zero case matches logs that are in /var/log, the one case matches logs one level down in a subdirectory, etc.
Part of the log files for our subject system are shown in Figure 3.7. In the upper part of the figure you can see the tail of the dmesg (device message) log. Notice that this log doesn’t use timestamps. Rather, it uses seconds since boot. The start of the syslog (system log) is shown in the lower portion of the figure. It can be seen that syslog does use timestamps. There are other logs that provide no time information whatsoever. Similar to bash history, such logs only provide the order in which things were done.
FIGURE 3.7
Part of the log files dump from the subject system. Notice that some logs contain timestamps while others contain seconds since boot or no time information at all.