Hi,
I'm in a situation where i've been asked to look at a Windows 7 machine which was found to be connected to a network cable which it shouldn't have been.
In order to determine if it has been accessed using a rogue IP address what should I do? And how do I then determine what activity was carried out as a result of this?
Also, in order for me to identify which party connected the network cable, where would I look to determine when it was first connected?
I have looked for activity during the period concerned (overnight when the machine should not have been in use) by looking at file modified/last accessed/created dates. I have also mounted the drives to run anti-virus over it which had no warnings.
One thing I did find was an aiteventlog.etl which showed that lsass.exe was run. From googling, I see that this can be a legitimate system file - what prompts this to run? Is it by a user action?
I'm a bit out of my depth so any advice would be much appreciated!
Thanks
In order to determine if it has been accessed using a rogue IP address what should I do?
Im sorry, what do you mean here? Are you thinking that the computer itself has been compromised and is being used as a jumping off point into your network by a remote user? In which case you should consider a port scan to identify any nasties, and you should also virtualise the computer and use something like wireshark to analyse any traffic coming off it.
Or do you mean that you think that the device itself has been connected to a network without permission and that you think that the local user has been doing things that they shouldnt have? In which case you should look at what programs the user has installed and see if theres anything there that looks out of place, and conduct a standard forensic analysis.
As for when it was first connected, look in the software hive, under /Microsoft/WindowsNT/CurrentVersion/NetworkList/ and identify the network in question then look at the modified times in both profiles and signatures.
Additionally
If the machine has been connected to network and should not have been, then IF anything bad happened, it's an inside job. 😯
IF someone with local access booted the machine with (say ) a PE or a Live Linux CD and used network to send somewhere data gathered from the machine, you have very little possibilities to find anything on the actual PC.
I mean one of the very few things a remote attacker cannot do AFAIK is to play a "flute-over-IP" wink and induce an otherwise harmless network cable to plug itself…..
jaclaz
Nah, its not guaranteed to be an inside job, could also be the result of a walk in by a social engineer. Be worth asking if your company is currently undergoing any kind of pen test. If not, and it isnt an inside job then someone REALLY wants in.
But yeah, more likely to be an inside job.
Thanks for your posts.
The situation is that it is supposed to be a secure room - so could be someone who connected the network cable without realising they shouldn't have (completely innocently) or that it was, as you say, a walk-in that shouldn't have been able to get in!
Hi,
I'm in a situation where i've been asked to look at a Windows 7 machine which was found to be connected to a network cable which it shouldn't have been.
I'm a bit out of my depth so any advice would be much appreciated!
Thanks
I'm about to ask some hard questions that may come across as rude in text and without visual/verbal cues, but I assure you that I have your best interest at heart in asking them.
Does it matter if you screw up the investigation? If the answer is yes, maybe, or similar then tell whoever is in charge and asked you to perform the examination that you need to outsource this work to professionals because you do not know what you are doing. This is not a slight against you, it is just the reality of the situation. If it matters, it needs to be done right, and there are far too many ways to damage the integrity of the investigation. Being thrust into an investigation with no training that may have serious ramifications is a nightmare and is not the time nor the place for on the job training.
Most places will not allow a beginning or junior-level person to collect and image evidence, because it is such a crucial step in the investigation process. If collection and imaging are botched in any way, it can undermine your investigation and make it completely fruitless. Because you haven't asked any questions about collection or imaging, I want to assume that you know how to do these things and have done them properly, but the absolute beginner nature of your questions about analysis makes me think that you don't know what you're doing and that's a very bad place to be in a forensic investigation.
I'd love to give you more specifics on what you need to do, but I'm really worried that giving you that information may do you more harm than good when used on a live investigation.
Thanks for your posts.
The situation is that it is supposed to be a secure room - so could be someone who connected the network cable without realising they shouldn't have (completely innocently) or that it was, as you say, a walk-in that shouldn't have been able to get in!
Well, this sounds a bit "queer", just like the cleanroom lady hack theory wink
http//
A possibility would be
- School class in tour
- Japanese tourists visiting the room
I cannot imagine ANY OTHER "innocent" plugging a cable.
BUT, if it is actually a "secure room", the advice by member jwshaw is really to be seriously taken into consideration.
And IN ANY CASE, the security protocol needs to be reviewed as the cable should not have been there, the "security approved technician" can bring in one when it is needed and take it away with him later.
jaclaz
jwshaw,
I think your point is valid - I am qualified to image these machines, but as you say, am a total beginner in terms of analysis.
I think I was asked to do this as I am here, and potentially, if anything was uncovered it would be referred to a specialist. Which I suggested in the first place!
I will take the fact that your reaction was pretty much identical to my own - that I shouldn't be given this task as I am not experienced enough - as a boost to go to the powers that be and suggest they get someone more qualified to do the job!
Thanks to everyone for posting.
I will take the fact that your reaction was pretty much identical to my own - that I shouldn't be given this task as I am not experienced enough - as a boost to go to the powers that be and suggest they get someone more qualified to do the job!
I agree with jwshaw that this needs to be done by someone who has the background to do it properly and that you've been thrust into an untenable position if you have to do the exam.
One suggestion that I would throw out is that this is an excellent learning opportunity. The idea situation would be that an image is made and then examined by someone with the appropriate background, but that you also perform an exam on the copy of the image. You could then compare notes with what the other person found and use it as a good test case to increase your skills in this area.
so could be someone who connected the network cable without realising they shouldn't have (completely innocently)
Or that someone who knew they shouldnt be doing so decided that he/she wanted to connect to the web to update *insert software and wanted to bypass the security protocols.
I try think Occams Razor - whats more likely…