HOW-TO: Do basic log analysis to find the RCMP, CBSA, etc

I want to make it clear that everything I post here is found either from my server, my ATIP requests, or from my logs. I don’t have any magic powers, or any special tools or any l33t hax0r knowledge that I use to get this information. It’s going to be pretty frightening when I mention how I find out information, and what my methods are, since they are REALLY basic.

First, we’re going to cover logs. Now, I host my stuff on a server, and my logs are gzipped daily. So, the first thing I do when I want to pull the logs for analysis is copy the files from my server directory and into my home, so that I have all the gzipped logs. I then decompress them, and then run these commands:

grep 199.212 paroxysms.access.log* </code>

That’s it! It’s not very hard, and this will work on almost any shared shell account. If you’re using Dreamhost, you probably are only saving 3 days of your logs. You should change this on your panel so that you save 30 days of your logs. If you’re on a free service like, you’re probably shit out of luck, since these services don’t have this feature, since you’re not using your own server.

Now, you can do other things like tail a document to see who’s visiting it at a particular moment. I sometimes like to do this out of boredom.

tail -f /var/log//yourlog.access.log </code>

Now, some groups don’t keep a log of the IP addresses that visit their sites so that they can protect their users from being investigated if they get their server seized. However, in reality, I know of only a few cases where this actually happens.

Of course, finding out who visited your blog this way is one of the oldest tricks in the book, and is ridiculously easy. This is why Onion Routing was invented, and why I’m certain that groups like the FBI use Tor to do Open Source Intelligence Gathering. That’s why I pick on the RCMP, CBSA and others, because due to their outdated systems, we can still uses these ancient methods to determine who they are and what they did on the blog (and that they run IE6)

The next post will be about how to fill out an Access to Information Act request. It is also going to be ridiculously easy!