I love Log2timeline and have used it ever since the SANS forensic blog Super Timeline talked about it. While this tool currently focuses on mostly windows forensics, we can use its technique and the methodology Rob Lee talks about combining multiple body files for analysis.
Lets say you have a Linux server running Apache and it gets compromised using a vulnerability that allows an attacker to post content to the server. The attacker then places a PHP shell on the system. Most of these shells allow attackers to upload and edit files, run commands on the local system, and interact with the database. This is a fairly common scenario and I wanted to see if I could determine what commands the attacker ran by examining the Apache access logs and matching it up with files that were accessed on the system at the same time.
I created a file system MAC times using fls.
# fls -r -m / /dev/sda1
I grepped through the access.log and pulled out the lines that contained POST to the PHP shell.
#grep POST access.log >/tmp/post-access.log
I wanted to combine the Apache logs with file system times. To do this I needed to convert the Apache logs to the sluthkit body format. I wrote a quick bash script to get the file in the correct format. I have rewritten this into a Log2timeline plugin and submitted it to the project (Currently its in the Dev tree and testing is being done on it) .
Then I used my script to convert it into the correct format.
#log2timeline -f apache /var/log/apache/access.log > /tmp/post-access.log
Then combine the two body files.
#cat /tmp/post-access.log /tmp/mactimes.csv >combined-body.txt
Then run mactime to convert the file into a CSV file.
#mactime -d -z EST5EDT /tmp/combined-body.txt >output.csv
Below is an example of the output I ended up with. In this instance the attacker ran the /usr/bin/locate command from the shell and accessed /etc/passwd. If this system is dedicated web server with out many users accounts, you should be able to get a good mapping of what went on.
Mon May 01 2010 08:10:07,0,macb,0,0,0,0,[apache log]192.168.200.206 "POST /web/files/shell.php HTTP/1.1" 200 13600 Mon May 01 2010 08:10:07,0,.a..,r/rr-xr-xr-x,0,0,129187,/usr/bin/locate
Mon May 01 2010 08:10:12,0,macb,0,0,0,0,[apache log]192.168.200.206 "POST /web/files/shell.php HTTP/1.1" 200 13600 Mon May 01 2010 08:10:12,0,.a..,r/rr-xr-xr-x,0,0,129187,/etc/passwd