Thursday, April 21, 2011

Converting Apache Timestamps to Something Forensically Useful

Your webserver got popped. Bad guys are using it as a phishing link destination to compromise browsers. You get the fun part of forensic analysis of the host to figure out how the compromise happened. Sweet! Let's make a time line of filesystem activity and add to that the Apache Access log data.

There are two problems to solve.
1) Standardize time. (I prefer GMT)
2) Standardize your time line data. (I prefer the Bodyfile format)

So you use The Sleuthkit to gather some time data from the filesystem and have some time line data you want to add the Apache data. Now you have some conversion to handle, but I already went through the trouble. Get the Apache Log Bodyfile Conversion script here. For now it only has support for Apache Access Combined Log format. It will soon be expanded to handle Error log data.

Apache Combined Access Log Default Timestamp Format:
The default looks like this: [27/Mar/2011:06:40:10 +0000] and that isn't too useful for sorting by time. We have to take this and convert it to Unix epoch time format. The Apache log conversion script does this.

Apache to Bodyfile Format:
Here, whatever you feel will be useful to extract from the Apache log and add to the master time line you take. The script by default takes the client's IP and the request line. It is easy enough to modify the script to export other data. Line 82 contains the format string for the bodyfile output.

Now you have Apache data compatible with The Sleuthkit's mactime time line creator. Happy hunting.

No comments:

Post a Comment