Simple AFP Forensics using Access Logs

Mac OS X Server’s AFP server access logs aren’t the greatest (no full paths is a glaring omission), but if you have them enabled, they can be useful for finding who deleted a file or folder for example.

If the item’s name starts with “Important File”, this command gives us the ip address of the client that deleted the item :
file_server:~ root# grep -i "Delete Important File*" /Library/Logs/AppleFileService/AppleFileServiceAccess.log
IP - - [08/Jul/2008:14:26:14 -0500] "Delete Important File 2009.xls" 0 0 0

Then we pass the ip address into this command to give us the login of the user:
file_server:~ root# grep /Library/Logs/AppleFileService/AppleFileServiceAccess.log | grep Login
IP - - [08/Jul/2008:09:05:43 -0500] "Login mpickens" 0 0 0

Finally we can use dscl to lookup the full name the user:
file_server:~ root# dscl localhost read /Search/Users/mpickens RealName
RealName: Pickens, Mary Ellen

Older logs are available too in zipped form. Use gunzip -c to read the contents.
file_server:~ root# gunzip -c '/Library/Logs/AppleFileService/AppleFileServiceAccess.log 12.11.07.gz' | grep Login | grep mpickens
IP - - [14/Dec/2007:19:12:38 -0500] "Login mpickens" 0 0 0
IP - - [14/Dec/2007:19:24:32 -0500] "Login mpickens" 0 0 0
IP - - [17/Dec/2007:09:21:38 -0500] "Login mpickens" 0 0 0
IP - - [17/Dec/2007:10:37:49 -0500] "Login mpickens" 0 0 0

get parent process from ps

While booted from NetRestore I couldn’t figure out what was launching Finally found the script that was launching it using an option the ps to show the parent process.

Simple, but useful.

ps auxww -o ppid

It was rc.install.