±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 4
Overall: 27520
Visitors: 75

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Forensics on Live Servers

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Forensics on Live Servers

Post Posted: Tue Feb 12, 2013 3:34 am

OK so, They'ye created an "test" admin user to be used only by technical support team,and specific tasks are completed the user has to be disabled from the active directory.

However instantly the "test" admin user get unlocked and tries to communicate with other local IP's in the network (some fail and some succeed).

In Addition to that, After checking the event logs they found many users trying to connect to accounts that don't belong to them and using computers that don't belong to them.

So yes, a lot of weird and dodgy activities are happening to the AD.  

CopyRight
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Tue Feb 12, 2013 3:47 am

Thanks for the info.

When you say "trying to communicate with other local IPs", what do you mean?

Is the test account trying to mount hidden network shares ( \\server1\C$ ) ?

On a side note, it's an interesting security design with having one "test" account, used by multiple people, for running "admin" level tasks. Certainly makes accountability a bit harder!  

alastairfay
Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Tue Feb 12, 2013 10:20 pm

They've create the "test" account after noticing that they're alot of peculiar behaviour happening to the AD, so the test account was to see if the "Malware"/"Attacker" will also have access to the "newly made test account", and it did!

It seems that someone has intensice accessibility to the AD and can make changes to it whenever he/she wants. They've also noticed that employee's log into thier PC's at 4 at mid night , someone has access to everything!

so what do you recon would be the most valuable starting point? specific logs from the AD? at least an indication of who could be doing this?

Thanks  

CopyRight
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Wed Feb 13, 2013 3:19 am

Any CCTV covering the employees PC(s) to see if someone is physically present (at the time the logs say they are logging on?)  

alastairfay
Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Fri Feb 15, 2013 10:12 pm

Yes, However They've seen some weird thing while monitoring the recorded CCTV footage like someone accessing the building at 4 in the morning which is not usual at all, but the person flashes the camera with a light so its not visible.

Yea so some mission impossible shit!

They'd like to know who it is, before rebuilding the security.  

CopyRight
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 2
Go to page Previous  1, 2