Proxy Servers: Proxy servers would keep a copy of, or cache o, that content

as well. Then, if another client were to request the same page soon
thereafter, the proxy would simply provide the cached content without rerequesting the same web page over the T-1.

Prevent bad things

Log Data: Access list for all HTTP(s) traffic
Cache Data: Copies of transacted objects for all HTTP(s) traffic

Proxy Logs: Typical proxy logs not only include elements like the time,
requesters's IP address, and URL, but also the result status of the request,
and sometimes the username that made it.
Blue Coat Proxy: is an appliance used widely in corporate enterprise
networks. It includes the built-in ability to perform SSL proxying.
Reverse Proxy: In this model, proxy servers generally broker requests from
a large number of clients systems to a smaller number of servers. Often, a
reverse proxy will provide load-balancing, compression, and other
performance-enhancing functionality.
Squid Proxy Server: Its an free, relatively easy to deploy but flexible
enough for complex deployments.
Three main forensically relevant elements

Configuration file: /etc/squid/squid.conf -- the configuration files will

prove invaluable in determining the location and meaning of other
sources of evidence. The default conf file is generally kept in
/etc/squid/squid.conf.default

Log files: /var/log/squid/* -- log files provide what is essentially an

access roster for all client requests that the proxy handled.

Cache Data: /var/spool/squid -- proxy's cache provide the responses

provided by web serve to client requests.

Squid listens on port 3128 (http_port 3128 in config file)

Access Control: In squid to aid in creating fine-grained behaviour based on
traffic characterstics access control list can be created. Below are some
criteria to create ACL.

IP based ACL
User Authentication
User-Agent

Day and Time

RegEx macting on requested URL

refresh_pattern option : This option controls how squid determines if the

objects in its cache are "FRESH" or "STALE". If an object in the cache is
deemed "STALE", the proxy server will attempt to retrieve a newer version
from the appropriate server, the re-cache the newly-update file.
Cache content live - Squid server providing the content also sets
parameters for how long the content should be cached. If these parameters
are not present Squid reverts to its configured defaults.
Format of configuration:
#
refresh_pattern

regex

min
^ftp:

pct
1440

max
20%

10080

RegEx: RegEx for requesr URL

Min: Minimum time object considered "FRESH"
Pct: Percentage of object's age at cache time for which it still be considered
"FRESH"
Max: Maximum time object considered "FRESH"
|"Fresh": Serve from Cache |"Stale": Verify state from
server
------------------------------------------------------------------------------------------------------->
|<----2.5hrs----->|<-----------30 min------------>|
Last-Modified
[server]

Date/Time
Cached

Cache Expiration

http://www.squid-cache.org/Doc/config/refresh_pattern/

Basically a cached object is:

FRESH if expires < now, else STALE
STALE if age > max
FRESH if lm-factor < percent, else STALE
FRESH if age < min
else STALE
Squid Logs: acccess.log
Defaults:

UNIX Time Stamp (sec.ms)

Response time (ms)
Requestor IP/name
Cache status & HTTP status code
Reply size (bytes)
Request method (GET/POST/etc)
URL requested*
User name (if applicable)
Squid hierarchy status & server IP/peer name
MIME type

ex: 1339038269.433|531|192.168.75.19|TCP MISS/200|17746|GET|

http://www.nu.nl|-|DIRECT/62.69.184.21|text/html

Query strings are not logged by default. To enable this feature, add the following to
/etc/squid/squid.conf
strip_query_terms of