Results 1 to 8 of 8

Thread: Utilising BT for forensics?

  1. #1
    Just burned his ISO
    Join Date
    May 2007
    Posts
    15

    Default Utilising BT for forensics?

    Hi All

    Want to investigate an issue that seems to delve a bit into IT Forensics and seek your help.

    Here's the scenario.

    A windows 2000 networked PC belonging to abc domain, is in posession of a secretary, has a confidential Excel file (password protected) lying on her local HDD.

    This file is suddenly found on the desktop of a PC meant for general internet access, usually logged in as Administrator and is lying on the desktop of local admin profile. This pc is alsoconnected to the same abc domain. The file is now in pdf format.

    When I checked doc properties of this file, it's created using the domain username profile of the same secretary.

    I check secretary's local hard disk and this pdf doc exists on local HDD but secretary maintains that she cannot recollect converting excel to doc.

    Findings:

    Secretary has lots of share enabled and has admin access to her win2k PC. It's not patched and has lots of vulnerabilties when I did a nessus scan.

    Challenge.

    How to find, the IP from where the file reached general access PC is it was
    shifted thru a network drive?
    If secretary did not convert this excel file to doc, then someone first
    cracked excel password and then converted to pdf. Why would someone convert to pdf if the information has been already obtained via cracked excel file. Seems like the secretary herself forgot.

    How can I go forward in this investigation? Can BT 2 be helpful?

  2. #2
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default patch and investigate

    Fictional?

    1 Patch the box or upgrade to Windows XP. Change passwords.

    2 Follow standard investigation procedures. Segregate the logs and analyse.

    3 Conclude secretary saved in pdf format erroneously. Instigate training.

    4 Review access procedures.
    Lux sit

  3. #3
    Just burned his ISO
    Join Date
    May 2007
    Posts
    15

    Default Donning the investigate hat

    Quote Originally Posted by blackfoot View Post
    Fictional?

    1 Patch the box or upgrade to Windows XP. Change passwords.

    2 Follow standard investigation procedures. Segregate the logs and analyse.

    3 Conclude secretary saved in pdf format erroneously. Instigate training.

    4 Review access procedures.
    Fictional?? D'uh!!

    I agree, secretary's PC was a sitting duck. Any Helpdesk personnel could have hacked in. All the four points are valid except the third. Which logs? I have exhausted what I consider..'standard procedures'.

    My guess, it's an insider job. The confidential data contains performance details of all employees.

    The issue is, on the PC with general access, it's usually kept always logged in as admin, and hence there is little need for people to log in specifically using their domain accounts when they come to sit, chat or browse.

    I see my chance in two things.

    1. Convert Secretary's PC to honeypot kind of a thing and observe who tries to come in? Either by drive mapping or by using Remote Desktop, VNC etc. Pls suggest some tool/monitoring utility?

    2. If there is any way I can find that at any point in time during the last month, any tcp/ip based connection has happened from this general access PC to secretary's PC?

  4. #4
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default Yes, fictional

    Yes, I believe it is fictional but to give you the benefit of the doubt I answered with due regard to the integrity of the system. A honeypot is feasible but would be a separate system not experimental on a poor secretary's machine. Do have the grace to consider others even in fiction!

    I have reviewed your other posts herein and see a common thread of opening for exploit and then monitoring and tracing to see who might find YOU.

    As regards your final point (2), I recommend that you obtain all logs and analyse them perhaps using perl (known for speed for precisely this sort of thing as I am sure you know). There, surely you will find your results.

    Might be better to ask your 'HelpDesk' dear.
    Lux sit

  5. #5
    Just burned his ISO
    Join Date
    May 2007
    Posts
    15

    Red face Grace in fiction

    Quote Originally Posted by blackfoot View Post
    Yes, I believe it is fictional but to give you the benefit of the doubt I answered with due regard to the integrity of the system. A honeypot is feasible but would be a separate system not experimental on a poor secretary's machine. Do have the grace to consider others even in fiction!

    I have reviewed your other posts herein and see a common thread of opening for exploit and then monitoring and tracing to see who might find YOU.

    As regards your final point (2), I recommend that you obtain all logs and analyse them perhaps using perl (known for speed for precisely this sort of thing as I am sure you know). There, surely you will find your results.

    Might be better to ask your 'HelpDesk' dear.
    There is a general tendency on these forums to consider all postings with great distrust and I can see where that comes from.

    While you went through my earlier postings, you noticed that I have come seeking means to protect and learn about exploits. Isn't that what this community all about? Once you go past the phase of a novice and become expert, generally there is no need to lurk around on forums.

    It's these initial phases when one needs some help.

    When I consider making secretary's PC a honeypot is when I shift all the files of her PC onto a much better XP Pro, firewall enabled and keep this one, whose Netbios name goes by her own name and is very easy to identify on the network, and then wait and watch the intruders. I don't personally see anything 'disgraceful' in this.

    Regarding your point of obtaining all logs and analyse them using PERL, I'll have to get into the mechanism for I have never done this. Any links to writeups would be appreciated.

    Yes..I'll involve helpdesk but I intend to do that at a later stage once I have clues as to how the stuff was brought about.

    Thanks for the reply despite apprehensions.

  6. #6
    Just burned his ISO
    Join Date
    May 2007
    Posts
    5

    Default

    MAC timeline analysis will show you all
    correlate that information with your workstation logon events and wham! you have your culprit. (File Creation time and which user was logged on)

    Using generic/shared user accounts? Sucked in.
    Don't record workstation logon events? Ditto

    2. If there is any way I can find that at any point in time during the last month, any tcp/ip based connection has happened from this general access PC to secretary's PC?
    Ever heard of firewall logs? Lemme guess, you don't keep firewall logs? hmm


    Whats a MAC timeline I hear you ask??? Well.... point ur browser to this URL
    just****inggoogleit.com/search?query=mac+timeline+analysis

    There is a general tendency on these forums to consider all postings with great distrust and I can see where that comes from.
    Thats because these forums are full of script kiddies and wanna be security gurus

  7. #7
    Just burned his ISO
    Join Date
    May 2007
    Posts
    15

    Question Google..woogle

    Quote Originally Posted by SaintN View Post
    MAC timeline analysis will show you all
    correlate that information with your workstation logon events and wham! you have your culprit. (File Creation time and which user was logged on)
    Saint..I know already that it was administrator account as the files were found lying on the desktop profile of local admin.

    Ever heard of firewall logs? Lemme guess, you don't keep firewall logs? hmm
    Local firewall on PC or perimeter. I do have perimeter firewall logs but how can they help?


    Whats a MAC timeline I hear you ask??? Well.... point ur browser to this URL
    just****inggoogleit.com/search?query=mac+timeline+analysis

    I must be completely dumb, but google.ca and google.com are returning results that doesn't remotely make me get a grasp of mac timeline analysis, at least not on the first 5 result pages and I did look beyond.

    Thats because these forums are full of script kiddies and wanna be security gurus
    Yes..that's why I wrote that I can see where that paranoia comes from. We can have a harder regiateration mechanism where user is bound to use one of his official email accounts and at least an evidence of having an industry recognised certification or something of that sort. I mean, some way so that community can help those who are not kiddies but aim to be pros at some point in life.

  8. #8
    Just burned his ISO
    Join Date
    May 2007
    Posts
    5

    Default

    Pop into IRC magnet, you might get lucky and someone that knows what they're doing may help you out

    This is the danger, well, one of the dangers of using generic shared accounts. You have no user accountability.

    All you are now going to be able to prove is that user "Administrator" created the xls file on the PC at time Y and then created the PDF at time Z.

    If THAT is useful for you, then yes, Backtrack can help.

    The following document tells you how to use the tools in the sleuthkit (Included with BT2) to create a timeline:
    sleuthkit.org/sleuthkit/docs/ref_timeline.html

    A breakdown of your questions:
    1. If the file was copied to the general access PC from another computer on the LAN, how do I determine the IP address of the computer that initiated the file transfer?
    A: Find out what time the file was created by creating a MAC timeline. Then correlate this information with your host based firewall logs. Look for netbios activity in the firewall log.

    If you dont have host based firewall logs on that computer, dont worry, most people dont. This means you will be unable to determine if the file was copied on to this general access PC from the network.

    I believe, that most likely, this file was put on this general access PC via a USB thumb drive.

    2. If secretary did not convert this excel file to doc, then someone first cracked excel password and then converted to pdf. Why would someone convert to pdf if the information has been already obtained via cracked excel file. Seems like the secretary herself forgot.
    A: Analyse the MAC timeline and determine if the excel spreadsheet was even on the general access PC in the first place. Check out what time the PDF file was created. It might have been out of office hours for example, which may mean the secretary did not create it?

    Can BT2 help? yes, but Helix is better for this as its designed for system forensics. And it also has windows tools such as WFT (Windows Forensics Toolchest) which will help you out.
    e-fense.com/helix/

    Get rid of your shared/generic user accounts. Or make users enter their names in a log book when they use this computer.

    If you ever have a serious IT Incident and don't have any qualified handlers, then please hire someone that knows what they are doing and not ask for help on forums/irc etc.

    Anyway, if you have further questions, im in the IRC channel. (I don't check this forum regularly)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •