ExamRange – CHFI 312-49 Simulation

Welcome to this web server log analysis simulation. You will examine HTTP access logs to identify forensic artifacts associated with availability-based network attacks, a critical skill in post-incident investigation.

Evidence Collected

Item Number: EVD-2023-404-LOG
Evidence Type: Application Log (Apache access.log)
Path: /var/log/apache2/access.log
Hash (SHA-256): 7a3f8c9b1d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9

[Investigator Terminal Session] > head -n 5 access.log 192.168.1.105 - - [24/Nov/2023:14:00:01 +0000] "GET /checkout.php HTTP/1.1" 200 4523 "-" "Mozilla/5.0" 192.168.1.105 - - [24/Nov/2023:14:00:01 +0000] "GET /checkout.php HTTP/1.1" 200 4523 "-" "Mozilla/5.0" 192.168.1.105 - - [24/Nov/2023:14:00:01 +0000] "GET /checkout.php HTTP/1.1" 200 4523 "-" "Mozilla/5.0" 192.168.1.105 - - [24/Nov/2023:14:00:01 +0000] "GET /checkout.php HTTP/1.1" 200 4523 "-" "Mozilla/5.0" 192.168.1.105 - - [24/Nov/2023:14:00:01 +0000] "GET /checkout.php HTTP/1.1" 200 4523 "-" "Mozilla/5.0" ... [14,500 identical entries in the same second] ... > grep "24/Nov/2023:14:00:02" access.log | wc -l 18234

Question

While analyzing web server logs, an investigator sees a high volume of requests for a specific resource, causing the server to become unresponsive. This is a sign of:

A. Denial of Service (DoS) attack

B. SQL Injection

C. Directory Traversal

D. Privilege Escalation

Investigative Hint: Look at the core symptoms: "high volume" and "unresponsive". Which attack vector specifically targets the availability of a system rather than its confidentiality or integrity?

Expert Analysis

1. What the evidence shows

The `access.log` snippet reveals thousands of identical HTTP GET requests targeting a single resource (`/checkout.php`) within a single second. The `wc -l` command confirms an impossible human request rate (18,234 requests in one second). This abnormal spike exhausts connection pools, CPU cycles, and memory.

2. Forensic Stage

Examination and Analysis. The log files have been acquired and hashed. The investigator is now parsing the application logs and performing timeline analysis to identify anomalies corresponding to the reported downtime.

3. Why the correct answer is correct (A)

A Denial of Service (DoS) attack aims to disrupt service availability by flooding the target with requests, rendering it incapable of processing legitimate traffic. The logs directly corroborate the symptom of "unresponsiveness" due to an artificial "high volume" of requests.

4. Why others are wrong

B. SQL Injection: SQLi focuses on data manipulation. Forensic artifacts would show SQL syntax (e.g., `' OR 1=1 --`, `UNION SELECT`) injected into the URI parameters or request body.
C. Directory Traversal: This focuses on accessing unauthorized files. Logs would show path manipulation techniques like `../../../etc/passwd`.
D. Privilege Escalation: This focuses on gaining elevated access. Logs might show successful access to restricted administrative endpoints by a standard user account.

5. Real-World Forensic Action

The investigator must establish a timeline of the attack. They will use tools like `awk`, `grep`, or log aggregators (Splunk/ELK) to calculate requests per second (RPS), identify the attacking IP(s) or subnet(s), and correlate this network activity with system performance logs (like `/var/log/syslog` or CPU/RAM metrics) to definitively prove resource exhaustion caused the crash.

MINI LESSON: Baselining in Log Analysis

In digital forensics, identifying an anomaly requires knowing what "normal" looks like. During an investigation of an availability incident, investigators must perform baseline comparison. By analyzing logs from a period of known standard operation (e.g., the day prior to the attack) and comparing the volume, frequency, and source IPs against the incident window, an investigator can mathematically prove the occurrence of a DoS attack to a high degree of forensic certainty.

CHFI (312-49) Digital Forensics Simulation

Investigation Scenario