Description: list of items to consider for web server forensic analysis

What to scrutinize

• Excessive access attempts to non-existent files

• Code (SQL, HTML) seen as part of the URL

• Access to extensions you have not implemented

• Web service stopped/started/failed messages

• Access to “risky” pages that accept user input

• Look at logs on all servers in the load balancer pool

• HTTP Error Codes

  • Error code 200 on files that are not yours

  • Failed user authentication: Error code 401, 403

  • Invalid request: Error code 400

  • Internal server error: Error code 500

Resources

• Critical Log Review Checklist for Security Incidents