Hi guys im wanting to learn more about Forensics and what not so was wondering any of you highly skilled guys out there that could possibly make up a scenario and tell us to find stuff?
Also please make it in a .IMG as thats where im learning off at right now if u dont mind
Thanks
Forensic's Challenge
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: Forensic's Challenge
hm, question is if you mean forensics as pre- or as post-disaster action.
before something happens you can use tools like Tripwire to monitor file changes on a system.
but usually the scenario is a rooted server: after a compromise the first step is usually to dump the memory into an external drive (USB stick for example), to shut down all network access and to mirror the HDD, because you never work on the original HDD...that way you make sure not to delete evidence by accident.
then the real work starts, you analyze the memory dump and check for suspicious processes. then move on to analyze the mirrored HDD, especially the logs, most interesting are the lastlog, access.log, daemon.log, auth.log and of course the bash history.
the procedure of course also depends on what services were provided, in most cases the attacker made the entry through faulty php scripts, so it's a good idea to grep all php files for suspicious strings like shell_exec.
you can also hash all installed software packages and then compare the hashes with known to be clean ones.
but to do this all manually is of course a lot of work, so usually you do this with forensic platforms like Helix: http://www.e-fense.com/products.php" onclick="window.open(this.href);return false;
sadly Helix3 is not free anymore, but if you look around a little you might find a copy of Helix2 somewhere on the net (which was free).
CAINE (Computer Aided INvestigative Environment) seems also to be good, and it's free: http://www.caine-live.net/" onclick="window.open(this.href);return false;
before something happens you can use tools like Tripwire to monitor file changes on a system.
but usually the scenario is a rooted server: after a compromise the first step is usually to dump the memory into an external drive (USB stick for example), to shut down all network access and to mirror the HDD, because you never work on the original HDD...that way you make sure not to delete evidence by accident.
then the real work starts, you analyze the memory dump and check for suspicious processes. then move on to analyze the mirrored HDD, especially the logs, most interesting are the lastlog, access.log, daemon.log, auth.log and of course the bash history.
the procedure of course also depends on what services were provided, in most cases the attacker made the entry through faulty php scripts, so it's a good idea to grep all php files for suspicious strings like shell_exec.
you can also hash all installed software packages and then compare the hashes with known to be clean ones.
but to do this all manually is of course a lot of work, so usually you do this with forensic platforms like Helix: http://www.e-fense.com/products.php" onclick="window.open(this.href);return false;
sadly Helix3 is not free anymore, but if you look around a little you might find a copy of Helix2 somewhere on the net (which was free).
CAINE (Computer Aided INvestigative Environment) seems also to be good, and it's free: http://www.caine-live.net/" onclick="window.open(this.href);return false;
Re: Forensic's Challenge
here is a wireshark pcap file (you'll use wireshark to open file and view contents)
Find the user names of the criminals, what they said, and what they stole...
DNR
Find the user names of the criminals, what they said, and what they stole...
DNR
- Attachments
-
- evidence.zip
- wireshark pcap file of criminal act of info theft
- (45.15 KiB) Downloaded 122 times
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.