Comments on: Squid Forensics

By: bezt

bezt — Thu, 11 Feb 2010 08:50:31 +0000

Yeah… you right, that my stupid quetion
Thx a lot

By: sherri

sherri — Thu, 11 Feb 2010 08:29:01 +0000

Oh, gotcha. The URL from access.log is also listed inside the cache file itself. That allows you to match them up. If you open that squid cache file (0000036A), you will see that it contains the original URL (in this case, http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg).

Just use grep to recursively search for all or part of the original URL to find the squid cache file. For example:

$ grep -r “1161451564593.jpg” /var/spool/squid/

Make sense?

By: bezt

bezt — Thu, 11 Feb 2010 07:50:53 +0000

No… i mean, the access.log not giving information about what the file an http://finickypenguin.files.wordpress.com/2007/10/1161451564593.jpg that rename it to 0000036A, can you tell me?
(sory for my bad english)

By: sherri

sherri — Thu, 11 Feb 2010 07:12:48 +0000

Also, if you’re looking for a particular filename, you can use the ‘find’ command. ie:

$ find . -name “foo”

Will recursively look for files named “foo” in the current directory tree.

By: sherri

sherri — Thu, 11 Feb 2010 07:06:12 +0000

$ grep -r foo *

Will look for the word “foo” recursively in every directory/file, and will output the matching file with the relative path.

By: bezt

bezt — Thu, 11 Feb 2010 06:55:52 +0000

Hey… how could you know 0000036A saved in /00/03 directory? No information abaout it

By: sherri

sherri — Tue, 28 Apr 2009 04:27:56 +0000

Thanks Alan! I’ll check that out.

By: Alan J. Wylie

Alan J. Wylie — Mon, 27 Apr 2009 19:20:16 +0000

> What I didn’t find was public information or tools for reconstructing
> pages from the web cache

The “purge” tool listed on the squid-cache.org related software page
allows this – use “purge -e .” to list the contents of the cache, then
“purge -C -e ” to extract selected files