Hal Pomeranz · Sep 6, 2022 · 1:31 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

6 Sep 2022

Live Linux Forensics training coming up @WWHackinFest Deadwood! Let's do some daily Linux Forensics trivia as a lead-up! wildwesthackinfest.com/deadw…

Hal Pomeranz · Oct 7, 2022 · 1:45 PM UTC

Hal Pomeranz · Oct 7, 2022 · 1:45 PM UTC

Hal Pomeranz @hal_pomeranz

7 Oct 2022

Daily Linux Forensics Trivia #32 - You find entries in an Apache web server log whose timestamps are out of chronological order. Does this mean the log has been tampered with?

Oct 7, 2022 · 1:45 PM UTC

Hal Pomeranz · Oct 8, 2022 · 3:01 PM UTC

Hal Pomeranz @hal_pomeranz

8 Oct 2022

Trivia Answer #32 - It is actually not uncommon to find Apache log entries out of chronological order. The log timestamps show the time the web request was received, but the log entries are not written until the web response is completed.

Hal Pomeranz · Oct 8, 2022 · 3:01 PM UTC

Hal Pomeranz @hal_pomeranz

8 Oct 2022

This means that web requests that take longer than usual to be fulfilled may be logged later than shorter duration requests that were actually received after the slow web request. Shout outs to @DfirNotes and @mboelen on this one!

DFIR Notes · Oct 7, 2022 · 2:12 PM UTC

DFIR Notes @DfirNotes

7 Oct 2022

Replying to @hal_pomeranz

without rtfm I'm guessing the logs are written when a connection / request ends and since requests can be different size and vary in processing time they could easily be out of order from our perspective?

Michael Boelen · Oct 7, 2022 · 4:48 PM UTC

Michael Boelen @mboelen

7 Oct 2022

Replying to @hal_pomeranz

I would guess that this is caused by different workers