:: Re: [DNG] ..forensics on systemd or…
Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Arnt Karlsen
Fecha:  
A: dng
Asunto: Re: [DNG] ..forensics on systemd or journald logs
On Wed, 22 Nov 2017 12:58:10 +0000, Arnt wrote in message
<6ff3d9c1-e23c-4b0e-af51-5f8db14251f4@???>:

> Arnt Karlsen writes:
> > you appear to suggest that law enforcement wanting to read systemd
> > journal logs, _should_ depend on the mercy of systemd developers
> > not "filtering" away inconvenient evidence of e.g. systemd developer
> > wrongdoing from said law enforcement.
>
> That's routine. Few readers read everything that can be read. For
> example, look at postgres. Its binary file format reveals quite a bit
> more than you can get using psql, and by design: The writer and
> binary format are intended for storing things quickly and reliably,
> and the reader for reading what was stored. Anything that's in the
> file but wasn't stored by instruction of an SQL user is uninteresting
> to psql, and the file format writer has no particular reason to avoid
> storing other information.
>
> If you really want to look at the details in postgres, you can take a
> good guess at whether two rows were inserted at the same time or one
> later than the other.
>
> That's why forensics people use the files. Systemd is about the
> millionth system to join the club. Flame postgres and vast numbers of
> others before you flame systemd. Or better yet, limit your statements
> about systemd to what's correct.
>
> Arnt



..it is very nice to learn I can read e.g. postgresql database files
while boycotting e.g. postgresql, using strings and all sorts of fancy
tricks to e.g. verify some postgresql developer's statement on systemd
people playing nice or not.

..it would also be very nice to learn of a way to decode and read binary
systemd journal logs without having to run systemd or without having
to hire expensive expert witnesses to decode and read my own binary
systemd journal logs from my final days on Debian Jessie.

..one very nice way of learning of a way to decode and read binary
systemd journal logs without having to run systemd, is listening
to wise answers from those who knows the correct truth about how
to decode and read our own binary systemd journal log files. ;o)

..so, how about answering my question?
Preferably correctly, if at all possible.
If not, pointers to hearsay is useful to help try discover
the (ugly?) truth.
All I've seen this far, is confusion, deflection, trolling
and diversion away from the context and my question.


..to reiterate: Is there a way to decode and read those binary
systemd journal logs on classic POSIX/Unix etc forensic systems
_not_ running systemd?


..e.g. using my namesake's example postgresql to translate the binary
files into some human-readable format?

..the "strings" approach suggested by John Hughes requires an intimate
knowledge of systemd and might be relevant if the investigations were
on "systemd sabotaging Devuan playing _new_ zero-day dirty tricks."

..so, the systemd crowd should have an interest in e.g. exposing
"Devuan incompetence and paranoia" by coming up with an easy way
to decode and read binary systemd journal logs without having to
run systemd, to prove their case on "Devuan incompetence and
paranoia on systemd", rather than confirm my current belief.



--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.