Recover removed /va...
 
Notifications
Clear all

Recover removed /var/log directory

6 Posts
4 Users
0 Likes
519 Views
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hello,

I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.

It seems it has been removed on purpose.

¿Is there any way to recover them?

I am using Autopsy software, and I can't find anything in removed files nor in Carved files…

Thanks in advance!

 
Posted : 05/06/2019 10:17 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

What kind of Linux system are you looking at? Is it from a standard computer system or is it an embedded device?

I ask as the /var/log location can be volatile, or other stuff may be going on. This is especially true of embedded devices such as routers and/or IoT devices. In these cases often the data either simply isn't there, or it is stored in a different part of the flash memory and mounted dynamically to the /var/log location.

 
Posted : 06/06/2019 7:43 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hello,

I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.!

benfindlay`s comment was good. Check fstab in /etc to see if /var/log is mounted on a mem drive. Query the mem drive drivers configuration. And RTFM for the Linux distro, if there really is no /var/log (which I do not believe), it should be documented.

regards,
Robin

 
Posted : 06/06/2019 8:01 am
(@athulin)
Posts: 1156
Noble Member
 

I ask as the /var/log location can be volatile,

According to FHS, /var/log is mandatory. However, it need not be *the* place where logs are really kept it may only contain links to the actual files. (See https://refspecs.linuxfoundation.org/fhs.shtml and the section on /var/log )

Thus, there is a technical possibility that it only contained symbolic links, and that all that may retrievable are those links. (Can't recall I've seen such a system, but … I have not verified such details for the past year or so.)

Add to that that if /var or /var/log is considered to be shareable, it could technically also be located remotely (if I read FHS correctly.) – that is, remotely mountable, not only locally.

FHS does not really apply for file systems where users don't have access, so those cases are special. And some distros don't follow FHS, in which case all this is nonsense.

That is, it looks very much like OP may have to show that there was indeed a /var/log present (and not just a symlink or mountpoint), before it is reasonable to think about recovering remains from a deletion, or draw conclusions based on the absence of it. But perhaps that part is already covered well enough.

 
Posted : 06/06/2019 12:12 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hi,

the forensic analysis of the images show several config files ponting to /var/log, which I can't seem to find.

However, maybe there is some way to carve in the deleted files and search for them. I don't know how to do this, though… (

 
Posted : 20/06/2019 10:27 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

…. several config files ponting to /var/log, which I can't seem to find.

However, maybe there is some way to carve in the deleted files and search for them. I don't know how to do this, though… (

In this case you can search for sym links according to https://askubuntu.com/questions/429247/how-to-find-and-list-all-the-symbolic-links-created-for-a-particular-file and use TSK (The Sleuth Kit) carve for files. Autopsy should do it, too, if you mount the drive to a 2nd machine.

But to be honest…we are talking here about absolut basics. I really hope this case is not important and only of minor criticality.

regards,
Robin

 
Posted : 20/06/2019 11:01 am
Share: