Consider a scenario where we have been tasked to investigate a server that was compromised and defaced by the attackers. The administration team has all the practices, such as logging and full packet capturing, in place. However, it seems that someone also cleared out logs, as suggested by its Modified, Accessed, Created, Executed (MACE) properties. There are very few entries in the Apache logs, as shown in the following log set:
192.168.153.1 - - [25/Mar/2019:14:43:47 -0400] "GET /site/ HTTP/1.1" 200 701 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0" 192.168.153.1 - - [25/Mar/2019:14:43:47 -0400] "GET /icons/blank.gif HTTP/1.1" 200 431 "http://192.168.153.130/site/" "Mozilla/5.0 ...