I am a beginner forensic investigator and I have come across a new case to solve which is described below.
I have come across a website which is used only for downloading the android application that the client owns. The website is providing only information about the app and how to use it by the visitors. There are no more features other than that on the website.
But the issue is that there is an extra page added on the website domain which is not visible on the website but present in the directory. The content of this page is illegal. This page is being used for selling illegal drugs from low level to high level drugs.
1 - There is an email (@protonmail.com) and a telegram account link for contact,
2 - The website is written in HTML code
3 - The website is hosted on godaddy.com,
4 - The page is shown in the Russian language,
5 - I could only gather logs for October and November but unable to find the source, I believe the page has been there for a long time.
6 - The page was deleted by the website owner in September but it was added again by the unknown.
Please suggest any tools or techniques to analyze and investigate the website to find the source and vulnerability. Any small contribution is appreciated.
If you have administrator access to the box, you should monitor the filesystem changes activity. If by luck you got a *nix based OS, fswatch, inotify and pyinotify can do miracles.
If you got MS based OS, somebody else should suggest you tools, since the ones I tried (both payed or open source) all were unreliable (missing some activity or reporting other activity!!!).
PS. Another newbie from India - the task looks more or less like a homework for students )
Thanks for your support @passcodeunlock
PS. I am a newbie (Just started digital forensics) but not a student. The website owner is a client and the DRUG sales is genuine. Thanks again for your support. )
I question the value of the process - you aren't going to prosecute successfully, so seems like a waste of time largely.
As a security professional the best course of action would be to change provider & account details.
If there is no executable code on the website, then there are two options for a vulnerability - hosting provider (GoDaddy) configuration - which you can't fix or diagnose, you'll have to contact & rely on them - or the credentials on the account (or the client's computer) have been compromised in which case, changing the authentication credentials should solve the problem.
If you are determined to track what happens - delete the page again, but get the logs this time if the page is recreated, the drug vendor seems to have some interest in keeping the page live …
Another pro-active option would be to carry out some penetration testing yourself ( client / host permitting ) to see if you can spot any vulnerabilities that might be the cause …
Thank you very much @azrael
You are correct, I won't be prosecuting the unknown but the motive is to find the vulnerability and closing it to prevent future problems.
I took your advice and changed the credentials to the admin account and updated the hosting provider about the situation.
Thanks again for your support.