Understand IIS Web Server Architecture in Forensic Investigation in this article Internet Information Server ON, a Microsoft-developed application, is a Visual Basic code application that lives on a Web server and responds to requests from the browser. It supports HTTP, HTTPS, FTP, FITS, SMTP, and NNTP. An IIS application uses HTML to present its user interface and uses compiled Visual Basic code to process the requests and respond to events in the browser. IIS for Windows Server is a flexible and easy-to-manage Web server for web hosting.
The IIS server constitutes 29.83% of the market share according to https://news.netcraft.com, February 2016. IIS provides various components with important functionality for the application and web server roles in Windows Server machines.
IIS components include:
- Protocol listeners (HTTP.sys)
- Web services like World Wide Web Publishing Service (WWW service)
- Windows Process Activation Service (WAS)
IIS components’ responsibilities include:
- Listening to the requests coming from the server
- Managing processes
- Reading configuration files
IIS depends mostly on a group of dynamic-link libraries (DLLs) that work collectively with the main server process (inetinfo.exe) capturing different functions, for e.g., content indexing, server-side scripting, web- based printing, etc. The open architecture of 115 enables an attacker to exploit the web with malicious content. Without service packs or hot fixes in 115 web server, there are numerous possibilities that an IIS process inetinfo.exe calls a command shell. This is disturbing, as there is no inherent need for inetinfo.exe to invoke a command prompt.
Related Product : Computer Hacking Forensic Investigator | CHFI
Investigating IIS Logs
The IIS server might become vulnerable if there are any coding or configuration issues, which can allow attackers to exploit it if not addressed on time. On the occurrence of such attacks, forensic investigators examine the IIS logs to trace the attempts made by the attacker to exploit the server. The IIS logs provide useful information regarding the user activities. Most often, the log file(s) is/are located at %SystemDrive%inetpub\logs\LogFiles.
Note: The log storage location may vary if the administrator has made a configuration to record and store the logs in some other location. However, in general, From the Windows Start menu, go to Administrative Tools and click on Internet Information Services NS) Manager. Expand the server name’s folder and click on the Sites folder to load a list of sites in the content pane. Open its settings in the content pane. (Alternatively, you can expand the Sites folder and click on the site name in the left hand tree view.) Select Logging from the content pane to load the Logging settings. In the Directory field, you’ll find the path in which your logs reside. Navigate to the LogFiles folder by following the path contained in the Directory field.
Within the LogFiles folder you’ll find a subfolder for each site configured in labeled as W. SVC1, W3SVC2, etc. The last number in the folder name corresponds to the SitelD. Find the folder that matches the site’s ID.
Each virtual server has its own subdirectory for log files, named W3SVCn, where ’n’ represents the number of the virtual server. The W3SVCn subdirectories store log files named u_exyymmdd.log, where ivy/ refers to the year, ‘mm’ refers to a month, and ‘dd’ refers to the date IIS log file is a non-customized or fixed ASCII text based format. The IIS format includes basic items, such as client IP address, username, date and time, service and instance, server name and IP address, request type, target of operation, etc.
Maintaining Credible IIS Log Files
It is very crucial to maintain the credibility of the IIS log files as they are the principle evidence used by the forensic investigators to investigate web attacks. Before presenting the evidence in the court, it is essential to present convincing arguments to prove that the submitted evidence (log files) is trustworthy and substantial. Steps should be taken to maintain the authenticity, accuracy, and accessibility of the log files. The investigators may even calculate the hash value of the evidence at the time of seizure and submit it along with the evidence, in order to prove its integrity.
Investigating IIS Logs: Best Practices
Web server logs are huge in volume and examining such logs would be a tedious task. The slide contains some of the best practices for examining the logs.
In addition to the above discussed best practices, the forensic investigators can narrow down the logs search by following the steps mentioned below:
- While investigating web attacks, a forensic examiner can go through the victim’s incident report, so that he/she can narrow down the logs search.
- Logs are generally stored in ASCII format, and each log file has column headers located at the top of that file. The investigators can write simple scripts to examine and parse the log files and filter the required information, such as source IP, status or response code, etc.
- Use log viewers to view and examine logs
- If investigators are aware of what they are searching for, they can use signatures to look for indications of specific activity.
- When IIS records the logs in W3C Extended log file format, the 115 stores all the logged events in GMT format, instead of the local time zone format for the system.
So, the investigators need to consider this point while examining the logs, since II S creates a new log file on the next day at midnight GMT.
Also Read : Indications of a Web Attack
Coordinated Universal Time (UTC)
IIS records logs using UTC, which heaps in synchronizing the servers in multiple zones. For calculating of UTC, the Windows offsets the value of the system clock with the system time zone. An accurate local time zone setting must be ensured by a network administrator, to validate the UTC. In addition, the administrator should also verify the process IIS is set to roll over logs using the local time. The server’s time zone setting can be verified by looking at the first entries in the log file. If the server is set to UTC -06:00, then the first log entries should appear around 18:00 (00:00 – 06:00 – 18:00). Because UTC does not follow daylight savings, the administrator must also consider the date, For example, UTC -6:00 will be -5:00 half the year.
Questions related to this topic
- How do I find the Web server log file?
- How do I view IIS log files?
- What is a Web server log file?
- How to Understand IIS Web Server Architecture in Forensic Investigation?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com