pfSense forensics

MrPeterson

I am wondering:
What logging is done by the pfSense device by default?
Where it's kept (all locations)?
When you delete the logs or any other data of the pfSense machine is it securly deleted (overwritten) and if not, other than erasing the hard drive is there any way to secure erase the logs?

Gertjan

Hi,

https://www.netgate.com/docs/pfsense/monitoring/log-settings.html

@mrpeterson said in pfSense forensics:

Where it's kept (all locations)?

As any other Unix/Linux/FreeBSD OS ! Look here /var/log

Most pfSense log fields are circular files. They have a fixed size, like 500 Kbytes each, and oldest data is overwritten by new data.
Read the manuals, and you will find out how to 'read' them. So you can see what in them.

Securely erase log file ?? Most of us try to find out what users are doing on the net up until the last bit and pixel, and you want to erase it ?? To not get logged : I advise you to power down the house, and stay away from what's called "Internet".
More soft : the one that control pfSense, controls the data on the disks.
You could even consider shutting down the logging, but take note : your ISP won't ...neither the man in black who are tapped into your ISP, and higher up.

tim.mcmanus

@gertjan said in pfSense forensics:

Hi,

https://www.netgate.com/docs/pfsense/monitoring/log-settings.html

@mrpeterson said in pfSense forensics:

Where it's kept (all locations)?

As any other Unix/Linux/FreeBSD OS ! Look here /var/log

Most pfSense log fields are circular files. They have a fixed size, like 500 Kbytes each, and oldest data is overwritten by new data.
Read the manuals, and you will find out how to 'read' them. So you can see what in them.

Securely erase log file ?? Most of us try to find out what users are doing on the net up until the last bit and pixel, and you want to erase it ?? To not get logged : I advise you to power down the house, and stay away from what's called "Internet".
More soft : the one that control pfSense, controls the data on the disks.
You could even consider shutting down the logging, but take note : your ISP won't ...neither the man in black who are tapped into your ISP, and higher up.

All kidding aside, he's posed a very good question. I'm not sure if you've ever been on the receiving end of a court-ordered discovery request, but they can and will image every hard drive and device you have to scrub it for any data they can use against you. This doesn't just apply to criminal cases, but also civil cases. I worry far more about civil cases than criminal ones because of the lower standard of proof and higher financial penalties involved.

MrPeterson

@gertjan said in pfSense forensics:

Hi,

https://www.netgate.com/docs/pfsense/monitoring/log-settings.html

@mrpeterson said in pfSense forensics:

Where it's kept (all locations)?

As any other Unix/Linux/FreeBSD OS ! Look here /var/log

Most pfSense log fields are circular files. They have a fixed size, like 500 Kbytes each, and oldest data is overwritten by new data.
Read the manuals, and you will find out how to 'read' them. So you can see what in them.

Securely erase log file ?? Most of us try to find out what users are doing on the net up until the last bit and pixel, and you want to erase it ?? To not get logged : I advise you to power down the house, and stay away from what's called "Internet".
More soft : the one that control pfSense, controls the data on the disks.
You could even consider shutting down the logging, but take note : your ISP won't ...neither the man in black who are tapped into your ISP, and higher up.

Yeah, thanks for that info and yes. I am looking to secure erase them (overwrite them) for reasons that are honestly none of your business, I just want to.

And poor English and condescending comments aside I will look into shutting down the logging, thanks for the help. I suggest condensing comments down to only helpful information.

@tim-mcmanus said in pfSense forensics:

@gertjan said in pfSense forensics:

Hi,

https://www.netgate.com/docs/pfsense/monitoring/log-settings.html

@mrpeterson said in pfSense forensics:

Where it's kept (all locations)?

As any other Unix/Linux/FreeBSD OS ! Look here /var/log

Most pfSense log fields are circular files. They have a fixed size, like 500 Kbytes each, and oldest data is overwritten by new data.
Read the manuals, and you will find out how to 'read' them. So you can see what in them.

Securely erase log file ?? Most of us try to find out what users are doing on the net up until the last bit and pixel, and you want to erase it ?? To not get logged : I advise you to power down the house, and stay away from what's called "Internet".
More soft : the one that control pfSense, controls the data on the disks.
You could even consider shutting down the logging, but take note : your ISP won't ...neither the man in black who are tapped into your ISP, and higher up.

All kidding aside, he's posed a very good question. I'm not sure if you've ever been on the receiving end of a court-ordered discovery request, but they can and will image every hard drive and device you have to scrub it for any data they can use against you. This doesn't just apply to criminal cases, but also civil cases. I worry far more about civil cases than criminal ones because of the lower standard of proof and higher financial penalties involved.

Yeah, obviously while I won't say the reasons that I want to erase logs (suffice they fall under "privacy and security) I would appreciate an easier solution in place of just erasing the disks (which looks like my simplest course of action).

heper

status-->system logs-->settings:

Local Logging: [ ] Disable writing log files to the local disk