So im doing forensics for my company after a significant incident, im struggling as to what to search for next. I am just out of school and so dont have much "real world" experience.
Basically we have a computer which was used as a platform to infect other computers. We are pretty sure that this computer is the start of the infection. I have a dd image of the harddrive which I have attempted to"
string search using the following terms
- names of the files found on the other machines
- ip addresses of the other machines
recovered and examined all the deleted files with timestamps of +- 1 month around the incident.
Mounted the image and had a browse around
Ran antivirus on the disk and looked at highlighted suspect files
looked in registry user accounts to get a list of users
Looked for the .evt logs, they will not open and are corrupted - security log is empty.
So far I have found nothing much but a list of users and a list of files my antivirus thinks are viruses. Is there anything else I can try to try and work out 1 - point of entry, 2 - attack vector to the machine. I have had 4 harddrives to work on, and this one is the most important and I cannot find anything on it S
I have a windows and ubuntu work station I am using for forensics, and I need open source tools.
Any help would be muchly appreciated!
Hi,
Much of what may have been able to assist you may have existed in memory (network connections etc).
You may wish to create a virtual machine of the evidence, and examine the running processes, network traffic etc, which may show that the box is attempting to connect to other hosts. Some virus are VM aware, so may not execute in the VM environment, however due to the increased use of virtualisation by companies and organisations, viruses can't always be that picky.
Also, have you examined other hosts that you think may have been infected? Is it possible that their security logging was enabled, which may show items of interest (failed brute force logins originating from the host you suspect spread the infection etc)?
One more thing, is it possible that authentication logs etc were configured to be sent from the windows box's to a central logging server (syslog etc)? If so then perhaps these logs may assist.
Good luck.
Mate, I mean no offense here but you sound like you're a bit out of your depth, I think getting a pro in might be a good idea.
Virtualise it, port scan it, wireshark etc. Look at the attacked machines, check firewall rulesets, attempt to recover deleted log files, check user accounts…
Good luck.
It sounds like this was propagated through the network, but it may not hurt to check the registry of the infected PC's to see what USB devices have been used. USBDview is some software that might help with this. Just a thought.