±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35770
New Yesterday: 2 Visitors: 128

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recover removed /var/log directory

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

banderas20
Member
 

Recover removed /var/log directory

Post Posted: Jun 05, 19 22:17

Hello,

I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.

It seems it has been removed on purpose.

¿Is there any way to recover them?

I am using Autopsy software, and I can't find anything in removed files nor in Carved files...

Thanks in advance!  
 
  

benfindlay
Senior Member
 

Re: Recover removed /var/log directory

Post Posted: Jun 06, 19 07:43

What kind of Linux system are you looking at? Is it from a standard computer system or is it an embedded device?

I ask as the /var/log location can be volatile, or other stuff may be going on. This is especially true of embedded devices such as routers and/or IoT devices. In these cases often the data either simply isn't there, or it is stored in a different part of the flash memory and mounted dynamically to the /var/log location.
_________________
Ben Findlay. BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MInstISP
Course Leader BSc Computer and Digital Forensics
School of Science, Engineering and Design
Teesside University 
 
  

Bunnysniper
Senior Member
 

Re: Recover removed /var/log directory

Post Posted: Jun 06, 19 08:01

- banderas20
Hello,

I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.!


benfindlay`s comment was good. Check fstab in /etc to see if /var/log is mounted on a mem drive. Query the mem drive drivers configuration. And RTFM for the Linux distro, if there really is no /var/log (which I do not believe), it should be documented.

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

athulin
Senior Member
 

Re: Recover removed /var/log directory

Post Posted: Jun 06, 19 12:12

- benfindlay
I ask as the /var/log location can be volatile,


According to FHS, /var/log is mandatory. However, it need not be *the* place where logs are really kept: it may only contain links to the actual files. (See refspecs.linuxfoundati.../fhs.shtml and the section on /var/log )

Thus, there is a technical possibility that it only contained symbolic links, and that all that may retrievable are those links. (Can't recall I've seen such a system, but ... I have not verified such details for the past year or so.)

Add to that that if /var or /var/log is considered to be shareable, it could technically also be located remotely (if I read FHS correctly.) -- that is, remotely mountable, not only locally.

FHS does not really apply for file systems where users don't have access, so those cases are special. And some distros don't follow FHS, in which case all this is nonsense.

That is, it looks very much like OP may have to show that there was indeed a /var/log present (and not just a symlink or mountpoint), before it is reasonable to think about recovering remains from a deletion, or draw conclusions based on the absence of it. But perhaps that part is already covered well enough.  
 
  

banderas20
Member
 

Re: Recover removed /var/log directory

Post Posted: Jun 20, 19 10:27

Hi,

the forensic analysis of the images show several config files ponting to /var/log, which I can't seem to find.

However, maybe there is some way to carve in the deleted files and search for them. I don't know how to do this, though... Sad  
 
  

Bunnysniper
Senior Member
 

Re: Recover removed /var/log directory

Post Posted: Jun 20, 19 11:01

- banderas20
.... several config files ponting to /var/log, which I can't seem to find.

However, maybe there is some way to carve in the deleted files and search for them. I don't know how to do this, though... Sad


In this case you can search for sym links according to askubuntu.com/question...cular-file and use TSK (The Sleuth Kit) carve for files. Autopsy should do it, too, if you mount the drive to a 2nd machine.

But to be honest...we are talking here about absolut basics. I really hope this case is not important and only of minor criticality.

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 

Page 1 of 1