auth.log / secure
Location
/var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS)Description
Authentication log recording all PAM-based authentication events including SSH logins, sudo usage, su escalation, user creation (useradd), password changes, and public key acceptance.
Forensic Value
This is the primary artifact for detecting unauthorized access on Linux. Accepted publickey entries confirm SSH key-based access and log the key fingerprint, identifying which key was used. Repeated "Failed password" entries expose brute-force attacks with source IPs. Sudo command logs record the exact commands run with elevated privileges, creating an execution timeline for privileged actions even when .bash_history is cleared.
Tools Required
Collection Commands
cp
cp /var/log/auth.log /forensics/output/auth.log
journalctl
journalctl -u sshd --since "2024-01-01" --output json > /forensics/output/sshd_journal.json
grep
grep -E "Failed|Accepted|session opened|sudo" /var/log/auth.log > /forensics/output/auth_filtered.log
tar
tar czf /forensics/output/auth_logs.tar.gz /var/log/auth.log*
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics
Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
Host Wiped Before Forensic Acquisition
The compromised host has been zeroed or securely wiped (DBAN, `dd if=/dev/zero`, `sdelete`, `shred`) before forensic imaging could begin. Traditional filesystem-carving techniques recover limited content; the investigation must pivot to peer-host artifacts, network telemetry, and cloud/identity records that survived the wipe.
Evidence Chain of Custody Compromised
Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.
Law Enforcement Requested Investigation Pause
A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.
Deep Anti-Forensics: Timestomping, Rootkits, Secure Delete
The attacker has employed anti-forensic techniques: timestomping ($MFT/$STANDARD_INFORMATION manipulation), log clearing (Security.evtx wiped, journalctl truncated), NTFS alternate data stream hiding, rootkits, file-attribute masking, or secure-delete of specific indicators. Standard forensic analysis produces incomplete or misleading results.
Investigation Requires Air-Gapped Network Access
The affected systems are on an isolated network segment with no connectivity to standard IR tooling (EDR management plane, SIEM, evidence-transfer channels). Acquisition and analysis must happen via physical media or through carefully-controlled trusted-transfer workflows that do not breach the air gap.