Hello Reader,
Another Sunday Funday behind us and another winning answer given. This week we did a Linux challenge and from the lack of responses and high readership I would say that this is a weak point for most of you. I have noted this and will devote some future blog posts to Linux forensics. This weeks winner is Tony Micah Lambert congratulations Tony! By having the confidence to give the contest a try you have won! Here was this weeks challenge:The Challenge:
The suspect is believed to have taken source code from his past employer and made use of it in the development of a new product. For a Ubuntu Linux system (any modern version 11 forward) where the user is using Gnome and CVS answer the following:
1. Where would you look to see what devices had been connected.
2. Where would you look to see what files/directories had been accessed.
3. Where would you look for user activity related to source code development
Here is Tony's answer:
You can view what devices have been recently connected by consulting the syslog at /var/log/syslog. Depending on how much time has passed, you may have to look for /var/log/syslog.x or syslog.x.gz where x= a sequential number. This log will have enough unique information about a device for it to be identified
For files/directories and user activity in CVS, all checkouts, commits, and updates can be checked from the history file located at $CVSROOT/CVSROOT/history (assuming proper configuration). This information can be easily accessed using the CVS "history -u " command to filter results for a specific developer's username.
Also Read: Daily Blog #56
Post a Comment