• *Sample Firewall Log Entry*

*Digital Forensic Science*

event.

attempts.

devices such as the router, switches, server, and VM instances and from other internal components, namely hard disk, RAM images, physical memory, log files etc., at different time intervals. The information about different types of attacks is stored in various log files such as application logs, system logs, security logs, setup logs, network logs, Web server logs, audit logs, VM logs, etc., which are given as follows:

• *Application log* is created by the developers through inserting events in the program. Application logs assist system administrators to know about the situ-

• *System log* contains the information regarding date and time of the log creation, type of messages such as debug, error, etc., system-generated messages related to the occurrence, and processes that are affected by the occurrence of an

• *Firewall log* provides information related to source routed packets, rejected IP addresses, outbound activities from internal servers, and unsuccessful logins.

• *Network log* contains detailed information related to different events that happened on the network. The events include recording malicious traffic, packet drops, bandwidth delays, etc. The network administrator monitors and troubleshoots daily activities by analyzing network logs for different intrusion

• *Web server log* records entries related to the Web pages running on the Web server. The entries contain history for a page request, client IP address, date

• *Audit log* records unauthorized access to the system or network in a sequential order. It assists security administrators to analyze malicious activities at the time of attack. The information in audit log files includes source and destina-

• *VM log* records information specific to instances running on the VM, such as startup configuration, operations, and the time VM instance finishes its execution. It also records the number of instances running on VM, the execution time of each application, and application migration to assist CSP in finding

Due to the increase in usage of network or new release of software in the cloud, there is an increase in the number of vulnerabilities or attacks in the cloud and these attacks are reflected in various log files. Application layer attacks are reflected in various logs, namely access log, network log, authentication log, etc., and also reflected in the various log file traces stored on Apache server. These logs are used for forensic examination to detect the application layer attacks. **Table 1** indicates the various attack information and the tools used for log analysis of different types of

[\*\*] [1:1407:9] SNMP trap udp [\*\*] [Classification: Attempted Information Leak] [Priority: 2] 03/12–15:14:09.082119 192.168.1.167:1052 - > 172.30.128.27:162

and time, HTTP code, and bytes served for the request.

tion addresses, user login information, and timestamp.

malicious activities that happen during the attack.

attacks. **Figure 2** shows the sample access log trace (**Table 2**).

UDP TTL:118 TOS:0x0 ID:29101 IpLen:20 DgmLen:87.

• *Sample Network Log Entry*

ation of an application running on the server.

**104**

03/12/2015 8:14:07 AM,"Rule ""Block Windows File Sharing"" blocked (192.168.1.54, netbios-ssn(139)).","Rule ""Block Windows File Sharing"" blocked (192.168.1.54, netbios-ssn(139)). Inbound TCP connection. Local address,service is (KENT(172.30.128.27),netbios-ssn(139)). Remote address,service is (192.168.1.54,39922). Process name is ""System""."

03/12/2015 9:04:04 AM,Firewall configuration updated: 398 rules., Firewall configuration updated: 398 rules.
