I have a case where a suspect is charged with unauthorized access to a shopping web site. The company says that they have his IP and he has tried to steal credit card numbers by redirecting the credit card entry page of the web site to another web site.
I have his hard drive. Its formatted and I have found evidence in unallocated clusters that he has actually accessed the web site, however it does not mean that he accessed the database or any unpermitted pages. He may well say that I have just visited the web site and did not do anything wrong.
So, What type of information should I look for in the hard drive?"
thanks
It might be an idea to grep for Credit Card numbers or look for the website the numbers were supposedly redirected to.
If you know of any other information that he is supposed to have accessed in an unauthorised fashion I'd be looking for that too.
HTH
as ddewildt said search on CC numbers, also ask the company for further information surrounding the IP, i.e. dates/times it was logged, and what logged it, what application, was it the server itself, RDP/Telnet etc etc…
and you could work around this information on his machine, i.e. see if you can find any files/information relating to the timeframes in question.
also always worth looking for tools that could have been used in reference to the compromise although this could be very long winded, were you able to image the webserver that was compromised?
I have a case where a suspect is charged with unauthorized access to a shopping web site. The company says that they have his IP and he has tried to steal credit card numbers by redirecting the credit card entry page of the web site to another web site.
How was he supposed to have done this? Session hijacking? Code injection? DNS hijacking?…
Each of these methods (and others not listed) may leave artifacts. Do a search for other sites accessed on the Internet. Many of these guys belong to groups that share info on how to hack vulnerable sites. You may be able to determine if he has one or more aliases and search the Internet on these.
The other suggestions are all good and this sounds like a case where good detective work is needed.
Search the Internet for mention of the site that was hacked, or, if you can identify the web server (shouldn't be too hard), search for references to vulnerabilities. Again, lists of vulnerable sites are readily available from multiple sources (which makes me wonder why the site operators don't look for this).
