Notifications
Clear all

Intrusion Detection

waqas
(@waqas)
New Member

Hey! I have just started my career as a computer forensic analyst and infact getting familiarizing things around.

Right now i have a case to look at. It is about an intrusion detection. someone claiming that a bad guy installed some backdoors and trojans on his computer that are transporting back his account details and personal information and remotely accessing the system . All i got is an image of victims HDD (i can understand a RAM dump would be a great help though). I have looked for installed programs, startup programs from registry entries (NTUSER.DAT> RUN and RUNONCE, Software\….\run and runonce ) but found no suspicious executables. what i have also checked, the remote desktop connection is disabled on system (hklm\system\currentcontrolset\control\terminal server and value fDenyTSConnection is set to 1 which means dont allow RDC) .

I am stuck at this point, have no idea what next to look for. any clue ? I am planning to run an ip address search on image to find all outgoing traffic but i can understand it will list out all the websites accessed as well.

Quote
Topic starter Posted : 15/01/2010 11:26 pm
Audio
(@audio)
Active Member

I'm a student so take this for what it's worth, but I see a lot of people on forums posting things like "I've been hacked" and it turns out to be nothing at all. They attribute something benign but unusual as malicious.

If you're sure his username and password were really compromised, it doesn't mean his computer was. Maybe it was some form of phishing attack (check browser history) or maybe he logged on using a public computer that was compromised, or maybe he chose a weak password, etc. and that's how the incident occurred.

BTW don't forget to check the obvious AV and Event Logs.

ReplyQuote
Posted : 16/01/2010 12:19 am
waqas
(@waqas)
New Member

there may be nothing that computer but i have to be sure before refuting the claim that is why i am looking some ways to pull some info from HDD image.

ReplyQuote
Topic starter Posted : 16/01/2010 12:34 am
seanmcl
(@seanmcl)
Senior Member

There are whole textbooks written about this, but two things that I would consider doing

1. Mount the image as a hard drive and run anti-malware scans against it. There are a number of ways to do this which you can find with your favorite search engine.

2. Create a Virtual Machine of the system against which you can run various process and network monitoring utilities to see what is going on in a live system. In particular, many backdoor/rootkit type programs use ports that are not blocked by firewalls (like port 80). With a VM and a network monitor such as Wireshark, you can look for network activity which was not initiated by you.

You may find artifacts in the Windows registry, Prefetch folders, etc.

If you have a tool which does signature analysis, you can run this against your system files (or any files for that matter), and look for files where the signature does not match the extension (a common way to hide what the file really does).

Two books that I would recommend (among many)

Counter Hack Reloaded by Ed Skoudis and Tim Liston
Malware Forensics by James M. Aqilina, Eoghan Casey and Cameron H. Malin

ReplyQuote
Posted : 16/01/2010 7:07 pm
keydet89
(@keydet89)
Community Legend

Right now i have a case to look at. It is about an intrusion detection. someone claiming that a bad guy installed some backdoors and trojans on his computer that are transporting back his account details and personal information and remotely accessing the system . All i got is an image of victims HDD (i can understand a RAM dump would be a great help though). I have looked for installed programs, startup programs from registry entries (NTUSER.DAT> RUN and RUNONCE, Software\….\run and runonce ) but found no suspicious executables. what i have also checked, the remote desktop connection is disabled on system (hklm\system\currentcontrolset\control\terminal server and value fDenyTSConnection is set to 1 which means dont allow RDC) .

Sounds like a pretty standard "Trojan Defense" issue…prove a negative, as it were.

I am stuck at this point, have no idea what next to look for. any clue ? I am planning to run an ip address search on image to find all outgoing traffic but i can understand it will list out all the websites accessed as well.

There is actually quite a bit you can do, in order to perform a comprehensive examination.

You appear to have started on Registry analysis, so don't forget the other autostart locations (BHOs, image hijacks, services, etc.) that may be used.

Look to see what the default browser may be, and then check the cache/history for each installed browser.

Look to current AV logs, including MRT.

Look for Dr Watson logs (if any) and look for any odd processes listed.

Try mounting the image and running a number of disparate AV and spyware scanners, and validate the findings.

Consider Prefetch files, any hibernation files that may exist. Look for odd or suspicious data in the MFT or $LogFile files. Also be sure to check the Event Logs (already mentioned, I know) as well as Registry hive unallocated space for anything odd.

Honestly, the list goes on. You didn't state the version of Windows you're looking at (XP, Vista, Win7, etc.), and to be honest, your question is really so broad that if you want more than a couple of pointers, the responses will be encyclopedic.

ReplyQuote
Posted : 16/01/2010 7:38 pm
Share:
Share to...