I'm looking at a case involving credit card fraud and while I find a lot of interesting artifacts (on the suspect's computer) from the actual online frauds I'm not sure if the files containing credit card details were downloaded or generated by the suspect himself through SQL injection attacks on websites.
I have found chat fragments, links and ebooks indicating the suspect is interested in the subject, and there are some applications installed related to it (Sqlmap, Havij), but I'm not sure if he has just played around with them or actually used them on a live target. Searching the web a bit I mostly find information on how to detect SQL injections on the target machines.
I would really appreciate ideas on how to find out if the computer was used to initiate SQL injections. Any useful search terms or patterns to run against the image?
1. Check bash history
2. If you have the name of the site attacked, use this as a keyword
3. Get the IP(s) of the site (both now and at the time of the attack) and use these as keywords
What intelligence lead you to examine this particular computer? You obviously didn't just wander around and find a computer on the pavement, if its log files from the target then this combined with the presence of SQLmap and the CC numbers looks like a good case to me.
As far as the idea of downloaded CC numbers goes, you can bottom this out with a bit of the old browser history forensics, people don't just give out lists of valid CCs, they sell them. You should look at the suspects financial history to see if there are any suspicious payments.
What's the OS of the computer you're examining?
I've seen Havij used before. What you may want to look for is log files from Havij, indications that the suspect viewed those files, etc. You might also scour the hard drive for CCNs.
Take a close look at the browser(s) URL history. A lot of SQL attacks start by loading up SQL statements into a URL in a browser.
If you think you might have found a site that this person attacked or a site that was tested for holes, try and approach the web master of the site and explain the situation. Ask for web server logs from the IP address of the suspect.
Thank you for your advice!
I will look into your suggestions.
The image is from a Windows 7 machine. The SQL angle is actually just a tangent to the credit card fraud case and I have no hard info on any web sites being attacked, but I figure the question may arise. If nothing comes from it I'll at least have (hopefully) learned something new.
If its a windows machine you've got some nice options, prefetch artefacts for example should tell you when it was executed.
Virtualisation may also reveal some settings in the program which have been preserved.
I'm looking at a case involving credit card fraud and while I find a lot of interesting artifacts (on the suspect's computer) from the actual online frauds I'm not sure if the files containing credit card details were downloaded or generated by the suspect himself through SQL injection attacks on websites.
I have found chat fragments, links and ebooks indicating the suspect is interested in the subject, and there are some applications installed related to it (Sqlmap, Havij), but I'm not sure if he has just played around with them or actually used them on a live target. Searching the web a bit I mostly find information on how to detect SQL injections on the target machines.
I would really appreciate ideas on how to find out if the computer was used to initiate SQL injections. Any useful search terms or patterns to run against the image?
This is not a new question…in fact, in some cases, it rears its head as, "how can I tell if a program was launched or executed?"
First off, what you find depends heavily on the OS you're looking at. If it's Windows, extend that to the version of Windows, as well. For example, I examined a system over the past year where a bad guy accessed the system and ran Havij. The system was Win2008R2, and we knew that the intruder had run the application based on the fact that there were output files from Havij on the system, indications that the bad guy had launched the program, as well as records in the Application Experience Event Log indicating that the application had been installed.
So, it you're examining a Windows system, here's where I would look
- pagefile
- hibernation file (if any)
- crash dump logs
- AppCompatCache key in the System hive (always a good one…)
- Havij accesses the network so check the Tracing key in the Software hive; also, if the system is 64-bit, check the *other* Tracing key as well
- UserAssist and MUICache keys in the user profile (NTUSER.DAT, USRCLASS.DAT)
- Shellbags - if the user dumped output to a particular folder, opened that folder and then resized/repositioned it, you'll find indications of those actions there…
HTH