Morning all,
I am currently working on a case where the witness machine has apparently been compromised, including control of the inbuilt webcam.
The witness reports that he has had some interaction, via an unknown chat type application, with the remote suspect - once after the chat box appeared on screen and another time after speaking out loud asking for the chat box to be shown which then happened.
Definitely very strange, but as I have been looking into it my first thoughts are some kind of manipulation of the Remote Assistance, which has been enabled and allowed through the Windows Firewall as an exception (which as far as I can make out is not the default setting).
Going through the Internet History, I am seeing a lot of references to
It appears to be some kind of search engine as there are numerous search terms, some legitimate and some indicative of a user looking for illicit material.
Any thoughts on how to progress this or what this site is gratefully received.
Regards
Rob
It must be a recent history
http//
Check the traffic rated
http//
http//
It seems like it came from nowhere, got hit consistently in may/june and returned to nowhere soon after.
The clickstream of Alexa may give you some hints. wink
Maybe it's just me but when the clickstream shows a number coming from or going to sites that were registered days or weeks before and which do have a hotmailbox.com or hotmail.net address as e-mail AND are not anymore reachable…
jaclaz
did you try google?
There are several cached pages that may give you as to what it was originally.
Looking at the domain name history could also shine some light on what kind of site this was.
Interestingly, i found this
http//
Search for inurlcuttingtool.org
returns something else interesting
#
Index of /
Index of / .ftpquota ยท cgi-bin/. Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
#
ftpquota -
1 0.
hi,
If you run a search at who.is, http//
my 2p
> Search for inurlcuttingtool.org
Interesting results, although that isn't what was being searched for.
ssenyl,
I would suggest that what you need to do is generate a timeline of activity on the system, using a number of sources. I think one thing that would be very useful is to image the system and then place it back online, then collect volatile data, particularly process information, port-to-process mapping, and network connections. You may also want to set up a sniffer on the same subnet prior to turning the system back on.
The idea would be to attempt to track the network connections, and then associate the network traffic with a process on the system. Tracking artifacts of the use of the webcam with just the image may be exceedingly difficult, so having the volatile data may help you track a backdoor or Trojan.
> …my first thoughts are some kind of manipulation…
Not a bad way to start, but let me ask you this…on what do you base those "first thoughts"? What data do you have to back that up? I'm not suggesting that you're wrong…I'm asking the question for two reasons
1. Making assumptions based on no data can lead you down the wrong road.
2. Sharing what you're looking at can allow others to assist and learn from what you're doing.
HTH
hi,
A quick look for expired domains shows it was dropped on 25 Jan 09.
I wonder WHERE you saw that. ๐ฏ
The domain is Registered on 19/01/2010 and expires on 19/01/2011.
The info is the same on the site you posted (with the right name)
http//
as it is on the one I previously did
http//
@all
the domain is cutingtool.org and NOT cut
ingtool.org (according to the original post)!
jaclaz
Not to point anyone out, but I do think that this is a good example…
I'm sure I've been thought of as a bit hard-nosed when it comes to spelling. This can be an issue in programming (misspelling a variable name without the appropriate checks means that you'll get an unexpected value), as well as in report writing. I've had a number of customers over the years who've been very, very particular about how their brand is represented and perceived, and spelling is a huge issue. I've been in meetings where someone (competitor, even one of the customer's own employees) misspelled the company name, and to be honest, it wasn't pretty.
The example here clearly indicates how different (and incorrect) information is retrieved when something being searched for is misspelled.
Again, I'm not trying ping any one person…simply pointing out to us all how something as apparently trivial as this can be so very important.
Dear All,
My mistake in spelling the site name. oops Hopefully no harm done in this instance, but another time / place such a lapse maybe not so good. A fine demonstration of " garbage in = garbage out "
lol
Actually, I propagated the error. sorry.
The principles behind the search is still sound.
All,
Thank you for your responses and ideas.
To clarify, the site I am interested in is definitely cutingtool.org.
@keydet89 - my assumption is based on the fact that Remote Assistance has been allowed through the firewall and the complainant (and other family members using the machine) say they have never knowingly set this, together with the description by the witness of how they were able to interact with the other party through the chat box (implying continued use of the keyboard).
It is also reported that in Mar 10 the laptop was given to an IT department of an organisation to look at and repair the machine as it was apparently not working correctly - the reported problem was with Internet Explorer repeatedly dropping connection.
I can safely assume that some changes were made to the system because prior to this repair, the OS was in German but after return it was in English. This point is noted in the witness statement. The witness also states that the IT department installed some AV software as apparently none was present before. I disagree with this as AVG was installed in Jan 10, and as it stands at the moment I am unable to identify any trace of the AV installed by the IT dept.
I am in the process of re-laying the image onto a fresh drive so that I can monitor traffic.
Definitely the strangest case I have dealt with so far…
Regards
Rob