Digital Evidence and Computer Crime, Second Edition
11.5 Log Files
UNIX systems have a variety logs that can be useful in an investigation. Logons and logoffs, or any event on a UNIX computer for that matter, can create entries in one or more system log files. An entry may be made in the lastlog file that can be interpreted using the lastlog command, and in the wtmp and utmp databases that can be interpreted using the last command. The degree of detail in these logs varies depending on how logging is configured. UNIX systems can even be configured to record the commands that each user account executed using process accounting (pacct files are accessed using last-comm) or the Basic Security Module (BSM) on Solaris. Additionally, servers running on UNIX machines may have logs that can be useful for reconstructing events and tracking down offenders as discussed in Part 3 of this text.
Категории