Forensics on Live S...
 
Notifications
Clear all

Forensics on Live Servers

12 Posts
5 Users
0 Likes
2,297 Views
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

Okay, So lets say you've been asked to apply forensics on a working server.

How do you take an image? (Software - Hardware)?
And how do you perform the analysis?
How do you extract logs?
Considering points?

Without manipulating the server's performance.

 
Posted : 11/02/2013 11:01 am
(@alastairfay)
Posts: 36
Eminent Member
 

What type of server is it?

What platform? Single physical, virtual or part of a cluster?

Where is the target data? Locally stored, or via a network share?

What do you hope to gain from analysis (i.e. why are you looking at that server?) ?

 
Posted : 11/02/2013 2:19 pm
(@chrism)
Posts: 97
Trusted Member
 

FTK Imager Lite is a great tool for imaging a physical server live. It runs on most, if not all, flavours of Windows.

I have had a couple of clients in the past that monitored the disk I/O, network traffic etc. on the physical server I was imaging and it did not adversely affect the performance (this was on an Exchange server). They were so paranoid that I almost had to have my finger on the "cancel" button for the whole duration of the copying!

It is also the most convenient way of imaging if the server is set-up with a RAID array.

If you only require the server logs, then you can also use FTK Imager Lite to conduct selective imaging for certain files and/or folders. I've used this in the past to only extract IIS logs, or Event Logs etc.

Points worth considering is, be very careful of everything you do. Take notes and photograph/screenshot everything you do.

…and if it is a virtual server. Well then just suspend/clone it and off you go!

 
Posted : 11/02/2013 2:35 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

F-Response.

I use the field kit edition, which is surprisingly cheap.

You run a little program on the server then connect to that computer using your own computer with the standard iSCSI Initiator. This gives you read-only low level access to any storage connected to that server.

I then use enCase to image the server–usually a logical image of a target folder, but a full physical image is possible.

How much this impacts the performance of the server is entirely dependent on what you try to pull down over the network. If you take a full physical image of a drive, expect that to degrade performance. If you take smaller pieces, then performance will be less affected.

It's impossbile to give the server additional work to do without affecting performance at all. The question really is how much spare capacity does the computer have and plan to not exceed that capacity with your work. You could even connect through a 100 Mbit switch instead of 1 Gbps. That would severely limit your impact on the server (and make your acquisition time much longer)

http//www.f-response.com/index.php?option=com_content&view=article&id=165&Itemid=83

 
Posted : 11/02/2013 9:22 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Okay, So lets say you've been asked to apply forensics on a working server.

How do you take an image? (Software - Hardware)?

Depends on a lot of things.

First, I'll assume that by "working", you mean that it has to be imaged live; that is, without shutting it off and extracting the physical hard drives.

Given this, there are a lot of things to take into consideration
- how old is the system?
- what OS and version is it running?
- what type of connections does it have?
- what type of access do you have to the system?

In most cases, when I was on the ISS ERS team, we would put FTK Imager Lite on a CD or on an ext HDD, and plug it into the system, *IF* it had at least USB 2.0 connections/drivers. If it only had USB 1.0, or it didn't have any USB connections at all, we'd look to the network. You can map a drive from a system on the same subnet that has the appropriate connection, or you can plug the ext HDD into the system, and map that volume. Depending upon the circumstances, you may need to (if you can) isolate the VLAN or something similar. For systems that have had to be disconnected from the network, you may consider plugging them into a small, 4-port hub, and doing something similar.

Of course, you need to document everything.

And how do you perform the analysis?
How do you extract logs?

Once you have the image, the same way you would acquire anything else.

Considering points?

Without manipulating the server's performance.

If you're trying to acquire an image from a system that is still running, there are no guarantees as to the impact on performance. You can try to minimize this, but that's about as far as you can go.

 
Posted : 11/02/2013 10:11 pm
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

You're the best guys, the way you interact is awesome.

In this case, Its a Windows Server 2008 (Active Directory System) in a fairy medium size organization. They've been claims that the AD-server is replicated,spoofed or by other means hijacked by someone.

As an incident response action, am i suggested to take an entire image of the Active directory?
Certain Files? Certain Logs? What do you think that's most important in this case?

and normally whilst performing acquisition on servers what are the important reg's and log's that are mandatory to have a look at as a first glimpse.

Thanks!

 
Posted : 12/02/2013 10:39 am
(@alastairfay)
Posts: 36
Eminent Member
 

By "Active Directory System" do you mean it's a Domain Controller, or Member Server?

If it's a DC, then it will have other DCs in sync with it - for failover.

More importantly, the entire AD tree will be replicated to other DCs in the same domain (and possibly Forest, depending on the topology). So any changes to the "target" servers AD configuration will have been replicated to the others.

We're a small organisation - 30 people - and I run 2 DC's (one physical - 'dc1', and one low-spec virtual - 'dc2') - in case anything happens to either server, the Windows network carries on working smoothly… just a bit slower.

Why do they think the server has been spoofed/replicated/hijacked?

 
Posted : 12/02/2013 1:56 pm
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

OK so, They'ye created an "test" admin user to be used only by technical support team,and specific tasks are completed the user has to be disabled from the active directory.

However instantly the "test" admin user get unlocked and tries to communicate with other local IP's in the network (some fail and some succeed).

In Addition to that, After checking the event logs they found many users trying to connect to accounts that don't belong to them and using computers that don't belong to them.

So yes, a lot of weird and dodgy activities are happening to the AD.

 
Posted : 12/02/2013 2:34 pm
(@alastairfay)
Posts: 36
Eminent Member
 

Thanks for the info.

When you say "trying to communicate with other local IPs", what do you mean?

Is the test account trying to mount hidden network shares ( \\server1\C$ ) ?

On a side note, it's an interesting security design with having one "test" account, used by multiple people, for running "admin" level tasks. Certainly makes accountability a bit harder!

 
Posted : 12/02/2013 2:47 pm
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

They've create the "test" account after noticing that they're alot of peculiar behaviour happening to the AD, so the test account was to see if the "Malware"/"Attacker" will also have access to the "newly made test account", and it did!

It seems that someone has intensice accessibility to the AD and can make changes to it whenever he/she wants. They've also noticed that employee's log into thier PC's at 4 at mid night , someone has access to everything!

so what do you recon would be the most valuable starting point? specific logs from the AD? at least an indication of who could be doing this?

Thanks

 
Posted : 13/02/2013 9:20 am
Page 1 / 2
Share: