I'd like to learn more about forensic analysis, and I'm trying to do the challenges from Project Honeynet. I need to check the logfiles and find the IP's that connected remotely to the computer. I have a dd made image of the harddrive. I think the only service that was running was apache. Besides Apache's logs, what other log files should I check? Where are they located?
Add a comment
|
2 Answers
You could look at /var/log/wtmp using the command who. This will show you who has logged on to the system. I think it shows Ip's but not completely sure. This of course would only apply to *nix machines.
Edit: After re-reading the post I suspect you were looking more for a log of who made connections to your webserver? This won't show you anything like that, just who accessed a shell I think.
You didn't specify what system you're running, but I'll guess a recent Linux: there's a whole plethora of logs awaiting your inspection under /var/log. Other systems may have put them elsewhere. Nearly all of these could have useful connect information.
