0
1
I'd like to learn more about forensic analysis, and I'm trying to do the challenges from Project Honeynet. I need to check the logfiles and find the IP's that connected remotely to the computer. I have a dd made image of the harddrive. I think the only service that was running was apache. Besides Apache's logs, what other log files should I check? Where are they located?
Geo
Posted 2009-11-07T21:07:02.983
Reputation: 348
2
You could look at /var/log/wtmp using the command who. This will show you who has logged on to the system. I think it shows Ip's but not completely sure. This of course would only apply to *nix machines.
Edit: After re-reading the post I suspect you were looking more for a log of who made connections to your webserver? This won't show you anything like that, just who accessed a shell I think.
Wagnarock
Posted 2009-11-07T21:07:02.983
Reputation: 558
1
You didn't specify what system you're running, but I'll guess a recent Linux: there's a whole plethora of logs awaiting your inspection under /var/log. Other systems may have put them elsewhere. Nearly all of these could have useful connect information.
Shannon Nelson
Posted 2009-11-07T21:07:02.983
Reputation: 1 287
Yes. I'm searching for connections made to the system. – Geo – 2009-11-07T21:57:19.530