Â© SANS Institute 2000 - 200 5, Author retains full rights. - matus

More documents

Recommendations

Info

Forensic Analysis of a Compromised Intranet ServerThe forensic analyst run that tool, on the compromised server with the command:Dos Prompt > D:\wft –dst \\tos20005\wft\The WFT started his execution on December, 13 th at 17:53:13: itproduced the wft log file 4 which is available in the documentappendix.The index page of the html report follows:Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Figure 4 - Index page of WFTA thorough read at the WFT report pages confirms the previoussuspects: the system event viewer logged many files which wereinfected by the W32/Lovgate_g@M worm; a look at the registrysearch history gave more clues: presence of virus dropped filenames in the Software\Microsoft\Internet Explorer\Explorer Bars -FilesNamedMRU section.Another suspicious system trait is the fact that currently thefile server has the network TCP ports 25 and 80 open to anyexternal connections (from the WFT netstat report). As gatheredduring the interviews with users and sysadmins, the system solepurpose Key fingerprint was to = AF19 serve FA27 files, 2F94 998D not FDB5 to DE3D send F8B5 emails 06E4 A169 or 4E46 publishingwebpages.© SANS Institute 2000 - 200 5, Author retains full rights.4 wft.logRoberto Obialero© SANS Institute 2000 - 2005 Author retains 14 full rights.
Forensic Analysis of a Compromised Intranet Server2.3Evidence collection phaseKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46The process collecting evidence from a machine running theWindows OS is depicted in the following flow-chart:© SANS Institute 2000 - 200 5, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Roberto Obialero© SANS Institute 2000 - 2005 Author retains 15 full rights.
Page 1 and 2: Forensic Analysis of a Compromised
Page 13: Forensic Analysis of a Compromised
Page 37 and 38: 5Lesson learnedNowadays the system

Â© SANS Institute 2000 - 200 5, Author retains full rights. - matus

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?