Digital forensics o...
 
Notifications
Clear all

Digital forensics on server (windows, ubuntu)

7 Posts
4 Users
0 Likes
1,817 Views
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Hi,
I'm doing a project where I talk about the forensic cloud in general and the difference between digital and cloud forensics. Now I should simulate a real case using a virtual machine on my computer. (I know it's different from the forensic cloud) In particular I have to examine windows server or ubuntu server.
I don't know how to proceed. I was asked to examine the artifacts and if there are any particular structures compared to the classic windows.
Do you have suggestions? Which tools to use?

 
Posted : 10/05/2019 10:48 am
(@mrevoluter)
Posts: 14
Active Member
 

Hi Ibernato,
1.You have asked a very different kind of a question, if you are going to carry out the forensics of a server let it be windows or Linux, first thing need to consider the typical way of its storage system.
2. Most of the servers run on a raid storage system. Though few forensic tools claim to carry out the static forensic imaging of a raid system. I would recommend you to go for a logical imaging.
3. Use FTK imager to carry out the forensic imaging of the system. This link https://www.hackingarticles.in/step-by-step-tutorial-of-ftk-imager-beginners-guide/ would help you out.
4. Later you could carry on your general digital forensics.
5. For cloud forensics there are various limitations starting from taking permission from the cloud hoster.
6. Hope this is helpful.

Disclaimer I don't know whether I could use other websites links in this blog. If it is not permitted I will not repeat.

 
Posted : 10/05/2019 1:42 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

In particular I have to examine windows server or ubuntu server.

I don't know how to proceed. I was asked to examine the artifacts and if there are any particular structures compared to the classic windows.

What do you consider "classic" Windows?

Do you have suggestions? Which tools to use?

I'd start with picking a system…Windows or Ubuntu.

If the VM file is a *.vmdk, you can access this easily with FTK Imager, and view the file system.

From there, the tools you use would be predicated upon your analysis goals…what are you hoping to prove/disprove?

 
Posted : 10/05/2019 10:06 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

Hi Ibernato,
1.You have asked a very different kind of a question, if you are going to carry out the forensics of a server let it be windows or Linux, first thing need to consider the typical way of its storage system.
2. Most of the servers run on a raid storage system. Though few forensic tools claim to carry out the static forensic imaging of a raid system. I would recommend you to go for a logical imaging.
3. Use FTK imager to carry out the forensic imaging of the system. This link https://www.hackingarticles.in/step-by-step-tutorial-of-ftk-imager-beginners-guide/ would help you out.
4. Later you could carry on your general digital forensics.
5. For cloud forensics there are various limitations starting from taking permission from the cloud hoster.
6. Hope this is helpful.

Disclaimer I don't know whether I could use other websites links in this blog. If it is not permitted I will not repeat.

Thanks )

From there, the tools you use would be predicated upon your analysis goals…what are you hoping to prove/disprove?

I need to analyze a server. Log files, if there have been registry changes, if there was a malware attack. In short, these things here

 
Posted : 14/05/2019 8:13 am
(@trewmte)
Posts: 1877
Noble Member
 

Ibernato, what type of windows server might you be investigating?

Windows Nano Server?

Books worth reading (1-5) as they contain information about the research points mentioned in your posts..

1) Getting Started With Windows Nano Server

About This Book
The days of the local server are numbered, and this book will make you an ace by giving you the skills needed to administer Nano Server and survive in the brave new server world. Learn to quickly automate multiple VMs and support Hyper-V clusters, all through small footprints from a single host Apply up-to-date, real-world examples presented in this book and improve the scalability and efficiency of large-scale VM deployments. This book opens up new potential for both developers and IT pros alike. The book is primarily for Server administrators and IT Professionals who would like to deploy and administer Nano Server within their organizations, and for developers who are trying to make maximal use of Server Containers and Hyper-V Containers with Nano Servers.

Nano Server is a new headless, 64-bit only, deployment option in Windows Server 2016 that has been optimized for data centers and for next-generation, distributed applications. Nano Server is the future of Windows Server; it is similar to Windows Server in Server Core mode, but significantly smaller, has no local logon capability, and only supports 64-bit applications, tools, and agents. It takes up far less disk space, sets up significantly faster, and requires far fewer updates and restarts much faster than Server with Desktop Experience.

2) Windows-Server-2016-Hyper-V-Cookbook
****e.g. Collecting artifacts for forensic examination

3) Mastering Windows Server 2016

4) Identity with Windows Server 2016 Exam 70-742 Lab Manual

5) Windows Server 2016 Complete Study Guide Exam 70-740, 70-741, 70-742

 
Posted : 14/05/2019 10:09 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

From there, the tools you use would be predicated upon your analysis goals…what are you hoping to prove/disprove?

I need to analyze a server. Log files, if there have been registry changes, if there was a malware attack. In short, these things here

Thanks, but that doesn't answer the question…analyze a server for _what_?

For your benefit, here is a means for framing your analysis goals…

What is the question you are trying to answer? What are you trying to prove/disprove?

Are you trying to determine if a "malware attack" took place? If that's the case, how would you go about doing so?

 
Posted : 14/05/2019 12:00 pm
(@ibernato)
Posts: 28
Eminent Member
Topic starter
 

From there, the tools you use would be predicated upon your analysis goals…what are you hoping to prove/disprove?

I need to analyze a server. Log files, if there have been registry changes, if there was a malware attack. In short, these things here

Thanks, but that doesn't answer the question…analyze a server for _what_?

For your benefit, here is a means for framing your analysis goals…

What is the question you are trying to answer? What are you trying to prove/disprove?

Are you trying to determine if a "malware attack" took place? If that's the case, how would you go about doing so?

This is a university project.
I was told to talk about the forensic cloud in general and to simulate a forensic analysis on a server (windows or linux)
Registry, LOG, etc.
Do you understand?
Thanks.

 
Posted : 14/05/2019 1:14 pm
Share: