Poor Man's Digital Forensics
Michal Špaček
Lead Web Developer
Slevomat.cz
www.michalspacek.cz @spazef0rze
Web Developers

http://example.com/products

I'm a web developer. I've been a web developer since, like, 2000. Web develop...
So Web Developers

http://example.com/product?id=123

The better of us they also build web applications with addresses loo...
Wow, Web Developers

http://example.com/product?
id='+UNION+SELECT+1,2,3,4+#
SQL Injection Attack

The best of us, web dev...
Many Web Developers
http://example.com/products
http://example.com/product?id=123
http://example.com/product?
id='+UNION+S...
All the Internet
WEB SERVERS
are writing access

LOGS!
Yes! Exactly. Whenever there's a request coming from a browser no m...
All the Internet
YOUR WEB APPLICATION
should be writing application

LOGS!
Just like the web server your application can a...
Many Logs
●

Disk s p a c e

●

Logger performance

●

Somebody has to read logs

Of course, logging is not easy. It's har...
Be a Digital Forensics Guy
Search the logs for

SELECT
BUT! If you have logs you can be a digital forensics guy, too! No, ...
Michal Špaček says
Write logs
Read logs
Before it's too late

Here's my advice. Write the logs. Read them as well. A lot o...
Upcoming SlideShare
Loading in...5
×

Web Server Application Logs LTEC2013

2,046

Published on

Slides from my shart talk about web server logs at the Digital Forensics Panel at the LawTech Europe Congress 2013, Prague, Czech Republic.

Shows you why you should be writing and reading logs, before it's too late.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,046
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Server Application Logs LTEC2013

  1. 1. Poor Man's Digital Forensics Michal Špaček Lead Web Developer Slevomat.cz www.michalspacek.cz @spazef0rze
  2. 2. Web Developers http://example.com/products I'm a web developer. I've been a web developer since, like, 2000. Web developers, you know, build web applications and web applications run on the Internet and are using addresses just like this one above. www.michalspacek.cz @spazef0rze
  3. 3. So Web Developers http://example.com/product?id=123 The better of us they also build web applications with addresses looking like this one. Such web application displays a lot of useful details about a product or whatever info the developer of the application wants it to display. www.michalspacek.cz @spazef0rze
  4. 4. Wow, Web Developers http://example.com/product? id='+UNION+SELECT+1,2,3,4+# SQL Injection Attack The best of us, web developers, they build applications which display a lot of useful details and also whatever the bad guy wants the application to display. This is called the SQL Injection Attack and it is responsible for some major information leaks in last few years and is caused by the developer not properly handling user input. It is pretty common, unfortunately. www.michalspacek.cz @spazef0rze
  5. 5. Many Web Developers http://example.com/products http://example.com/product?id=123 http://example.com/product? id='+UNION+SELECT+1,2,3,4+# So we are web developers, building web applications. The applications are different, of course, but there's one thing making them all the same, at least from one particular point of view. The applications are viewed from web browsers making requests to web servers. And guess what… www.michalspacek.cz @spazef0rze
  6. 6. All the Internet WEB SERVERS are writing access LOGS! Yes! Exactly. Whenever there's a request coming from a browser no matter what information ends up being sent back to it, the requested address is written down to the server access log. So later you can see what your users are looking for, if needed. www.michalspacek.cz @spazef0rze
  7. 7. All the Internet YOUR WEB APPLICATION should be writing application LOGS! Just like the web server your application can also write logfiles. These files should contain more information and debugging data because your application knows much more about the request than the server. It knows a lot about a user making the request, what they want to buy and what was the result of charging their payment instrument. www.michalspacek.cz @spazef0rze
  8. 8. Many Logs ● Disk s p a c e ● Logger performance ● Somebody has to read logs Of course, logging is not easy. It's hard because logs take space and once your log files are too big there's no more room for other data on the server and the server stops serving requests. The server has to perform well because it simply has more things to do. Your hard drives need to perform well too. And the hardest part about logging is that somebody has to read the logs. www.michalspacek.cz @spazef0rze
  9. 9. Be a Digital Forensics Guy Search the logs for SELECT BUT! If you have logs you can be a digital forensics guy, too! No, not the pro one, but good enough to detect a breach or data leak. Just search the logs for some keywords and while you may get some false positives, you may also spot something. Remember the SQL Injection Attack example? But please, don't modify the logs, the pros need them in their original state. www.michalspacek.cz @spazef0rze
  10. 10. Michal Špaček says Write logs Read logs Before it's too late Here's my advice. Write the logs. Read them as well. A lot of companies don't know they had their data leaked until they read it on TechCrunch or Slashdot. That is well too late. Do something so that you're the first one to know that something went wrong. The second one, actually. The first one is always the guy making it away with your data. www.michalspacek.cz @spazef0rze
  1. ¿Le ha llamado la atención una diapositiva en particular?

    Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

×