using VboxManage convert dd to vmdk or vdi file

https://blog.sleeplessbeastie.eu/2012/04/29/virtualbox-convert-raw-image-to-vdi-and-otherwise/


Let's assume that we have raw image of the sdb device:

$ sudo dd if=/dev/sdb of=./sdb.raw
To use it with VirtualBox we need to convert it to the VDI format:

$ VBoxManage convertdd sdb.raw sdb.vdi --format VDI
To use it with VMware we need to convert it to the VMDK format:

$ VBoxManage convertdd sdb.raw sdb.vmdk --format VMDK
Convert between VDI/VMDK formats:

$ VBoxManage clonehd sdb.vdi sdb.vmdk --format VMDK
$ VBoxManage clonehd sdb.vmdk sdb.vdi --format VDI
Convert to the RAW image:

$ VBoxManage clonehd sdb.vdi sdb.raw --format RAW
Alternative solution to get back raw image after applying modifications is to use qemu-img command from qemu package:

$ qemu-img convert -f vmdk sdb.vmdk -O raw sdb.raw
Now we can write image to the device:

$ sudo dd if=./sdb.raw of=/dev/sdb

Digital Forensics on a Linux Machine

https://staff.washington.edu/dittrich/misc/forensics/




https://securitycommunity.tcs.com/infosecsoapbox/articles/2015/11/17/forensic-artifacts-linux-machine


http://www.linuxleo.com/Docs/linuxintro-LEFE-4.31.pdf



https://help.ubuntu.com/community/LinuxLogFiles



http://linux.vbird.org/linux_basic/0570syslog/0570syslog.php

==========================================
audit
http://yishidian.net/如何使用linux審核系統在centos-7

https://serverfault.com/questions/327846/convert-selinux-log-date-format-from-epoch-to-normal



==========================================
system log
https://www.cyut.edu.tw/~ywfan/netlab/20060912chapter11-log.htm
http://linux.vbird.org/linux_basic/0570syslog.php

====================================================
ngeix log

https://stackoverflow.com/questions/26780466/nginx-understanding-access-log-column

# nginx.conf
http {
  ...
  log_format combined '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';
}

example

66.249.65.159 - - [06/Nov/2014:19:10:38 +0600] "GET /news/53f8d72920ba2744fe873ebc.html HTTP/1.1" 404 177 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.3 - - [06/Nov/2014:19:11:24 +0600] "GET /?q=%E0%A6%AB%E0%A6%BE%E0%A7%9F%E0%A6%BE%E0%A6%B0 HTTP/1.1" 200 4223 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.62 - - [06/Nov/2014:19:12:14 +0600] "GET /?q=%E0%A6%A6%E0%A7%8B%E0%A7%9F%E0%A6%BE HTTP/1.1" 200 4356 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

=================== maillog reading method =================
https://sendgrid.com/blog/delivered-bounced-blocked-and-deferred-emails-what-does-it-all-mean/




=====================understanding reading mail log ============
http://linuxmaza.blogspot.tw/2010/02/understanding-and-reading-mail-logs.html




==================bash introduction ==========================

https://beginlinux.wordpress.com/tag/bash_logout/



===================== Browser history on linux machine ==== chorome and firefox

https://askubuntu.com/questions/631631/getting-internet-browsing-history-from-shell