Skip main navigation

System Log Files

This video describes system log files, which are targeted in Phase 5 of the typical hacking methodology
In this video, we’re going to be talking about system log files. As we remember, the last phase of hacking, phase 5, is going to be clearing tracks. Now, part of clearing tracks is going to be going after your log files and clearing those particular logs out, either wiping out completely, or if they’re more careful they’re going to be deleting just entries that they end up on on your log files in order to clear tracks. Make it harder to find them, and also to make it harder to identify that anyone did anything on your network.
Now, what does a log file contain anyways? Well, log files are going to contain who logged in, when a user logged in, what system are they logging into, ID, IP address, files that were accessed, files that were modified, login times, log out times, et cetera. So you see, log files contain a wealth of information, and this is typically why a malicious hacker is going to want to go in there and clear those tracks out, because they don’t want to leave a lot of information behind. Again, login time, logged out time, what they logged into– all this stuff is going to help you pinpoint exactly what they did on your network.
So again, this is why it’s important for me to clear these tracks out. So this is a typical Windows log file, and this is a very small snippet of a particular log. Logs can be huge files depending on how much is going on in your network and how long those log files have been running for. And typically, network administrators will occasionally delete out those logs, because log files will fill up a hard drive on a server. Especially if it’s a pretty busy server like a domain server, for example. So with all this information being processed, it could be a little hard to dig through it.
But again, there’s a lot of information here, and it’s going to be a text file. And for Windows users, you could find it over at Control Panel, System Security, Administrative Tools, Event Viewer, Windows Log. So let’s take a look at this little screenshot I took here. So as you see, it’s broken out into different sections - subject, login type, new login, process information, network information, detailed authentication information. So we have security ID, account names, account domains, login IDs, login types. We have login GUIDs, process IDs, process names, workstation names, source network address, port numbers, authentication packets, transmitted services, key links, et cetera. So as you see, there is a lot of information here.
And if someone’s on the network, if you think something weird’s going on or you’re just going through the logs to be on the safe side, again, we could find a lot of information here. Potentially if a malicious hacker didn’t clear the tracks and we found the actual entry, well, then we could see, well, they got on to this system at this time, modified these files, I need to take a look at these files, or I need to restore these files. We also could see that, well, by this IP address and by this login name, I could see they took over John Doe’s account on his workstation. And they got on our network.
Otherwise, I could see things like while they created a new account using this name, I could see that logged in because I don’t recognise that name. And I don’t recognise this IP address. So I could do a trace route on that IP address and potentially find out where that malicious hacker came from, or at least what ISP they came from, or VPN provider, and go from there. So again, this is really why a malicious hacker is going to want to clear these tracks on their way out. Because they don’t want to leave all this information behind for you.
Now, for Linux users, you can go to /var/log directory to get to your log files, but they are going to be pretty similar to a Windows one.

This video offers a description of system log files, which are files that are targeted in Phase 5 of the typical hacking methodology.

In step 1.9 you were introduced to the five steps hackers follow when trying to breach a network. Phase five of this process is typically when hackers will target your log files. This video focuses on what you will learn about the role of system log files, why they are targeted by hackers, and how hackers may do this.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education