Â© SANS Institute 2000 - 200 5, Author retains full rights. - matus

More documents

Recommendations

Info

Forensic Analysis of a Compromised Intranet ServerThe Sleuth Kit commands run in this task were:fls –r –m -> list both the allocated and the deleted files, recurse on directories(-r), display the output in timeline import format (-m)ils –m -> list inodes information in mactime mode (-m)The second part of the timeline creation sorts the information indate ascending order: it is also possible to select a starting andending date and other parameters to better refine the analysistask. Into the timeline analysis phase, it is a good idea tocorrelate such data with the “uptime historical” output suppliedby the WFT tool.An extract of the timeline file is depicted in the followingpicture:Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Figure 7 - Timeline format file© SANS Institute 2000 - 200 5, Author retains full rights.The timeline lists information in the following format, from theleftmost column to the right direction: File size (Bytes); lastmac actionKey fingerprint(m=saved,= AF19 FA27a=read,executed,2F94 998D FDB5 DE3Dc=created,inodeF8B5 06E4 A169 4E46allocated);file permissions, GID, UID, inode number, file or inodespecification.While examining the timeline, the forensic analyst had theconfirmation the system had been infected by the W32/Lovgate.g@MRoberto Obialero© SANS Institute 2000 - 2005 Author retains 22 full rights.
Forensic Analysis of a Compromised Intranet Serverworm. The evidences were many file entries named as follows:• MSN Password Hacker & Stealer• Winrar + crack.exe• The world of lovers.txt.exe• Sex for your life• Panda Titanium• Age of Empires• Are you looking for love.doc.exe• Mafia Trainer!!!.exe• MoviezChannelsIsInstaller.exe• Star Wars II Movie Full Downloader.exe• How To Hack Websites.exe• Key CloneCD fingerprint +Crack.exe = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46• Autoexec.bat• 100 Free Essays Schools.pifThe larger number of these files was found on the system sharedlogical drives as confirmation of the spreading method stated bythe antivirus software researchers.A common trait of such files is they were written/executed andthen immediately deleted; recording the inode number that appearsin the timeline makes it possible to further analyse the contentof the file.The first evidence of the infected file dates back on May, 23rd2003 on partition C, then the virus spreading activity was veryheavy, until the end of 2003; on December, 10 th 2003 (as reportedfrom WFT) a new antivirus software installation was performed(McAfee instead of Norton). Starting from this date the number ofinfected files started to decrease, but some worm activity wasstill observed; such events last about one day, then the infectionhushed and offered a period of quietness.A summary timeline table 9 follows in the next page:© SANS Institute 2000 - 200 5, Author retains full rights.Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Date Time Event14/05/2002 15:16:35 OS installation9The whole timeline file is available separatelyRoberto Obialero© SANS Institute 2000 - 2005 Author retains 23 full rights.
Page 1 and 2: Forensic Analysis of a Compromised
Page 21: Forensic Analysis of a Compromised
Page 37 and 38: 5Lesson learnedNowadays the system

Â© SANS Institute 2000 - 200 5, Author retains full rights. - matus

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?