Highest Voted 'forensics' Questions - Server Fault Stack Exchange

56

votes

2 answers

Mysterious visitor to hidden PHP page

On my website, I have a "hidden" page that displays a list of the most recent visitors. There exist no links at all to this single PHP page, and, theoretically, only I know of its existence. I check it many times per day to see what new hits I…

security forensics

asked Apr 04 '12 at 22:57

Bill

603
6
12

12

votes

1 answer

Administrator view ALL mapped drives

In my understanding of security, an administrator should be able to view all connections to and from a computer - just as they can view all processes/owner, network connections/owning process. However, Windows 8 seems to have disabled this. As…

command-line-interface windows-8 uac mappeddrive forensics

asked Oct 29 '13 at 20:25

jeubank12

221
1
2
4

10

votes

4 answers

How to perform remotely a kill-switch on Windows 7?

I need to remotely perform a kill-switch on a Windows 7 Enterprise computer connected to an AD. Specifically, I need to remotely access the machine without visible user interaction (I have a domain account which is administrator on the…

windows windows-7 remote-access forensics

asked Nov 27 '15 at 08:18

dareils

119
1
4

10

votes

2 answers

How to determine which file/inode occupies a given sector

I received messages in /var/log/kern.log that indicate drive failure. The messages occured while copying my $HOME between drives (ext4 -> ext3): [ 5733.186033] sd 4:0:0:0: [sdb] Unhandled sense code [ 5733.186038] sd 4:0:0:0: [sdb] Result:…

linux ubuntu hard-drive analysis forensics

asked Sep 26 '11 at 21:02

krlmlr

523
1
5
17

10

votes

3 answers

Website defaced, what can I do?

My company's website has been defaced, provided I have the apache raw access log, is there anything I could do to analyze when and what went wrong? I mean what to look out for among all those thousands and thousands line of log? Thanks for the help

apache-2.2 security forensics

asked May 27 '10 at 03:12

SteD

225
1
7

8

votes

1 answer

Forensic Analysis of the OOM-Killer

Ubuntu's Out-Of-Memory Killer wreaked havoc on my server, quietly assassinating my applications, sendmail, apache and others. I've managed to learn what the OOM Killer is, and about its "badness" rules. While my machine is small, my applications are…

linux ubuntu oom forensics

asked Apr 22 '10 at 02:45

Oddthinking

274
2
15

6

votes

2 answers

rsnapshot diff between snapshots

I am using rsnapshot to manage incremental backups of some GNU/Linux servers. Although rsnapshot is delivered with a tool called rsnapshot-diff it just provide disk space statistics. The question is how to get a diff: new and deleted files, on a…

rsnapshot diff forensics

asked Aug 28 '14 at 10:58

Angus Macyver

61
1
3

6

votes

3 answers

Foremost custom file type not accepted by -t argument

I'm trying to recover a deleted file on an ext3 file system using the foremost utility. The file I want to recover is a hpp C++ source code file. However, foremost does not automatically support the hpp file extension, so I have to add it to the…

linux data-recovery forensics

asked Aug 16 '10 at 14:49

Channel72

6

votes

3 answers

Find IP address of a device?

Open question: How to find the IP address of a device? As I understand, there are no guaranteed methods that work always, but there's a hundred approaches that work in specific situations, and I'd like to learn as many as possible. The typical…

configuration ip mac forensics packet-sniffer

asked Jun 23 '10 at 10:57

SF.

277
3
9

4

votes

1 answer

How to disable automatic garbage collection on an SSD?

Solid State Drives (SSD) have a garbage collection functionality which makes space from deleted files available. It is triggered automatically by the drive via a TRIM command sent by the OS Is there a way to put an SSD in a state where the…

hard-drive ssd forensics garbage-collecting forensic-analysis

asked Nov 03 '15 at 08:10

WoJ

3,607
9
49
79

4

votes

2 answers

Virtual machine memory space forensics

in spite of the fact that the main point of virtualization is having "containerized" environments for every instanced OS without sharing memory space, are there techniques to make forensics on either online or offline (paused) virtual…

security virtualization forensics forensic-analysis

asked Mar 30 '20 at 14:07

bbanelli

41
5

3

votes

1 answer

Recover ZFS deleted file names

I have to work on server with ZFS file system to recover deleted file names or recover actual files. I have very basic knowledge about ZFS and couldn't find easy way to achieve this. I just wonder if there are tools that do this or even just just…

solaris zfs forensics

asked May 30 '16 at 11:06

Mariam S

31
3

3

votes

3 answers

How to calculate the starting address of a partition from MBR

Given a MBR and the structure of MBR/partition table, how can you calculate the size and starting address of each partition? For clarification let's say I was given this- Answer: There are three partition table entries shown in the MBR. Partition…

hard-drive ms-dos forensics mbr hexidecimal

asked Dec 14 '11 at 15:29

에이바

642
5
11
34

2

votes

2 answers

Sending ESXi Snapshot to 3rd party forensics team

We recently had a couple security events occur and we immediately took a snapshot of the VM as we wanted to preserve as much of the data as we could. Now we would like to send it to a 3rd party forensics team to determine the level of compromise. My…

vmware-esxi virtual-machines vmware-vsphere forensics forensic-analysis

asked Jan 03 '19 at 14:30

brittonballard

31
4

2

votes

1 answer

Forensics on Virtual Private servers

So these days with talks about having hacked machines being used for malware spreading and botnet C&C, the one issue that is not clear to me is what do the law enforcement agencies do once they have identified a server as being a source or…

vps virtual-machines datacenter forensics

asked Oct 04 '12 at 07:07

intiha

123
2

Questions tagged [forensics]