Blueheat Company’s production server was out of order again. The CEO was very upset and want their CIO Leo to figure out what happened. Leo asked those IT guys to investigate what’s going on but in vain. That’s a SUN SPARC server running Solaris 10 and those IT guys could not find anything unusual.
The CEO decided to call the Police when that production server crashed again. Forensic guy R started to conduct an investigation on firewall and security logs of that server to identify whether the attack was from outside or not. He found no threat from outside, and he thought there was a “mole” in this company. That’s a serious situation. IT guys were familiar with those systems, and if one of them was the “mole”, it’s difficult to distinguish who was the mole only by checking daily operations.
Blueheat had more than ten IT guys including Developers, DBAs, System Engineers, etc in IT department. They all needed to access server farms all day, and also they got permissions to acess server farms. So it’s difficult to identify what’s normal operations and what’s unusual operations. Forensic guy R decided to deploy monitoring script on that SUN SPARC server,and the monitoring script will record timestamp, source ip, user account, and any key stroke. Also it will send alerts to forensic guy’s mailbox automatically.
Couple days later fortunately forensic guy R found a connection log on 2010/1/5 1514,you guys could take a look at my blog to see what’s going on.
http//
Guess what? The “mole” tried to edit a script and he/she disabled Samba service. He/she also took a look at the file “/etc/passwd” on 2010/1/5 1514. Forensic guy R checked the DHCP log and found that IT guy Mr.A used that ip as exactly in monitoring log of 2010/1/5 1514.
Forensic guy R examined Mr.A’s workstation and found some scripts could do something bad to servers. Finally Mr.A confessed the crime he did and got caught.
Just for the record "moles" tend to reveal to third parties private/secret information, and they carefully try to avoid "doing something bad to the servers" or more generally to disrupt any service or whatever infrastructure, this latter is more "sabotage" than anything else.
jaclaz
Forensic guy R started to conduct an investigation on firewall and security logs of that server to identify whether the attack was from outside or not.
So, no evidence at this point, but it's been deemed an "attack"? Not a misconfiguration or anything like that…
He found no threat from outside, and he thought there was a “mole” in this company.
Yes, you're right…it is serious. Because the forensics guy "thought" that there was a mole, but had no evidence to support that "theory".
Thank you guys. During investigation forensic guys do lots of thing not just use forensic tools to analyze, sometime we need to do lots of test to try to restore the crime scene. So forensic guys will make an assumption and try to find out any clue. Make an assumption according to the evidence you find won't commit any crime,right?
Forensic guy is not only a IT professional but also a detective or a special agent. So lots of companies or organizations will depend on forensic guys to conduct an investigation on business secret case and find out who the "mole" is.
Like we always say, our clients need to know "When", "Where", "How", "What", "Why", and "Who" of course.
…and yet, there's still nothing to suggest that there ever was an attack…
What made him suspect that it was a person crashing the server (im assuming intentionally) as opposed to a fault on the server itself?
ie what did the mole have to gain from causing a little bit of a disturbance rather than data exfil or destruction?
Thank you guys. It's a long story and what I'm trying to say is that sometimes forensic guys need to take more "aggressive" actions like monitoring and recording activities inside the evidence. Also an experienced IT expert could figure the root cause is server fault or by a human on purpose.
Thank you guys. It's a long story ….
… I thought it was a tall one… 😯 roll
jaclaz