Daily Blog #14: 7/7/13 Sunday Funday - Log Evidence Tampering Challenge

Sunday Funday by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
              It's time for our second Sunday Funday! This week I have something a little more nonstandard that should require some serious thought on your part to answer. The prize? You get to be a reviewer on Hacking Exposed: Third Edition with your name and quote on the cover of the book, this is due to be published mid 2014.


1. You must leave your answer in the comments.

2. The most correct answer wins.

3. You are allowed to edit your post to update it with more information.

4. You have until midnight PST (GMT -7) on 7/7/13 to answer this question.

The Challenge: 

You have been provided with three years of web server log files in standard W3C format. The logs appear to show that your client has obtained unauthorized access to the website for over 3 years. 1/3 of all authenticated accesses to the website appear to come from your client. Your client is adamant that these accesses never occurred and asks you to determine if you can find signs of manipulation within the logs.

Using on the log evidence, what criteria would you evaluate/process would you follow/framework would you use to determine if the log evidence had been manipulated. Remember you do not have access to the server the logs came from, just the logs themselves.

Good luck!

Also Read: Daily Blog #13

Post a Comment