Scenario based Comp...
 
Notifications
Clear all

Scenario based Computer Forensics/Network Forensics

6 Posts
4 Users
0 Likes
511 Views
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

Hi
I am investigating one of the machines which is based at one of the branches of an organization. The branch closes at 6pm. However at the web server logs and firewall logs, traffic has been observed from this machine at 9 in the night when nobody is supposed to be present in the organization. It means machine was being accessed remotely. Only such software installed on the PC is Team Viewer but i havent found anything in its logs.
Imaging of the system was done after 2 days of the crime and the computer was in non-live state. What do you think that can take me closer to the conclusion ? Which registry entries or other logs ?

Replies will be appreciated. You can also DM me at harsh_behl@live.com

 
Posted : 09/03/2015 12:51 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Carve the disk image for strings
1) "[TAB]RemoteControl[TAB]" i.e. "09 52 65 6D 6F 74 65 43 6F 6E 74 72 6F 6C 09"
2) "PunchReceived, a=" i.e. "50 75 6E 63 68 52 65 63 65 69 76 65 64 2C 20 61
3D "
(without quotes)
Have the carving tool output some 80 bytes before and 80 bytes after the found string.

jaclaz

 
Posted : 09/03/2015 5:23 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am investigating one of the machines which is based at one of the branches of an organization. The branch closes at 6pm. However at the web server logs and firewall logs, traffic has been observed from this machine at 9 in the night when nobody is supposed to be present in the organization. It means machine was being accessed remotely.

Does it?

What is the nature of the traffic originating from the system? Is it possible that the system was just locked (instead of being turned off) and the user left a browser open, and ads were updated?

Imaging of the system was done after 2 days of the crime and the computer was in non-live state.

What crime?

What do you think that can take me closer to the conclusion ? Which registry entries or other logs ?

Conclusion of what?

If no one as at the facility at 9pm, then I wouldn't think that there would be keystroke data being sent off of the system, but it's worth looking into. However, I'd think that the priority would be to first determine what it is you're looking _for_…

 
Posted : 09/03/2015 6:38 pm
(@athulin)
Posts: 1156
Noble Member
 

… traffic has been observed from this machine at 9 in the night when nobody is supposed to be present in the organization. It means machine was being accessed remotely.

Does it? is the observed traffic of remote-access type? If not, it could be just about anything that runs on the system, as well.

Don't ignore the possibility of misconfiguration – if the computer thinks the target computer has some kind of peer relationship with it, it will send a lot of traffic to it. However, in that case, you're likely to find information and perhaps even error messages in the system and application logs. And if some other computer has been misconfigured to have the same IP address as the suspect system … you may be looking in the wrong place. In that case, you may have error reports from your network infrastructure.

If the traffic observed is response traffic, it may be something else going on.

What do you think that can take me closer to the conclusion ? Which registry entries or other logs ?

That rather depends on what conclusion you want to reach.

I think it's better to find out what actually happens on the system who was logged in, what software was running, if there are any known vulnerabilities (missing patches, outdated software), if any foreign devices have been connected, etc. Also what relationships exist between that computer and the target computer can you find it's IP address or network address anywhere?

And if this is a corporate environment, have there been any support tickets for the suspected computer? (Overconfident support specialists can be a major cause of internal incidents … as can ill-advised software updates.)

Document your hypotheses about what is going on. All of them – if you can't find at least five, ask someone to help you. Then identify what additional measures that can/may be taken to confirm or disprove those hypotheses. Then do it.

It's sometime useful to let a suspect computer be, and just add observation platforms around it intrusion detection system, network sniffers, add DNS logging, proxy logging, etc, etc. This way you can get a better idea of what is going on. That is not a decision you should take on your own, though.

 
Posted : 09/03/2015 8:09 pm
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

I thank you all for sharing your such important thoughts. However for my initial part of investigation i have found out that windows powershell was being used to get the remote access. Some scripts were also being executed using the same. Now i just want to investigate the logs and other entries that can help me proving the crime in the court. Once i am able to solve this i will share the case study here at this forum.
However help will be appreciated to investigate powershell activities. The scripts were executed on 23rd december 2014 and the crime had taken place on 16th feb 2015.

 
Posted : 09/03/2015 10:48 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I thank you all for sharing your such important thoughts. However for my initial part of investigation i have found out that windows powershell was being used to get the remote access. Some scripts were also being executed using the same.

How did you determine this? From where was the system being accessed?

Now i just want to investigate the logs and other entries that can help me proving the crime in the court. Once i am able to solve this i will share the case study here at this forum.

However help will be appreciated to investigate powershell activities. The scripts were executed on 23rd december 2014 and the crime had taken place on 16th feb 2015.

This seems to contradict what you stated above. What is the "crime" that took place? Why is it that above you stated that Powershell was used to access the system remotely and "some scripts" were being executed, but here you stated that scripts were executed almost 2 full months _before_ the "crime" took place.

Could you clarify this?

 
Posted : 10/03/2015 1:28 am
Share: