Security Incidents mailing list archives
Re: They got me!!!
From: l00t3r <l00t3r () gmail com>
Date: Thu, 6 Apr 2006 13:14:48 -0400
If you're really looking to do a full investigation you need to first get a raw image from the device. You should be able to use dd from just about any bootable linux disk to do this (Helix can do this from their live windows environment also or you can get the raw binaries from a google search). The command would be dd if=/dev/HDX of=/Where/youwant_thefile.dd. After you get the evidence preserved then you can do some analysis of what's really going on without compromising any valuable data. You can mount this partition after you have a raw image by using mount -t filetype -o ro,loop /dev/hdx /mnt/wherever. This should allow you to use any of the mentioned tools. Just to throw out a few more you can take a look into http://ntsecurity.nu/toolbox/. They have a good range of Windows live tools (make sure you have a raw image first so you don't compromise any data integrity). If your looking for linux side autopsy (sluethkit gui), pyflag, etc. Most of these tools have been built into Helix so if you don't have a copy of it yet it might make locating tools easier (They also have a manual that will explain the usage of the tools, a great help for beginners!) Good luck and have fun! Ryan On 4/6/06, Terry Vernon <tvernon24 () comcast net> wrote:
I see something along these lines every day. What has most likely happened is they clicked on something or fell for a trick they shouldn't have. The Trojan was probably the first thing in instead of as you assume after the fact. I would begin by interrogating the kids, lol. What I would do is recover all files deleted in the timeframe you were gone with something like Active UnDelete or whatever your favorite is. Usually a Trojan deletes the installation file so that might give you more insight where it was downloaded. I'd say what probably happened is they were at a site they thought was OK and clicked "Yes" to a fake prompt you see on some of these shady sites and followed instructions hoping to play a game or something. I'd go as far to say it didn't even matter that your other systems were offline because a Trojan kiddie usually doesn't even think about the existence of a LAN. The biggest headache is going to be recovering any lost accounts due to password theft. All the other stuff can be fixed as easy as a reinstall of Winblows XP. -----Original Message----- From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] Sent: Wednesday, April 05, 2006 11:24 AM To: incidents () securityfocus com Subject: They got me!!! Hey list!!! My kids left their puter on while I was away on vacation and some loverly person managed to gain access to the puter. Unfortunately I was on vacation so had all of my systems off except the one the kids turned back on, so my sniffer was off as well. I don't know much from the forensics side of the house as I mainly perform audits and such, so was hoping I could get some insight as where to start and tools to use to find everything that was done to the computer. My AV software picked up a trojan, but figure it was after the fact and is still resident on the system. It almost appears that they accessed hotmail and picked up files from a mailbox. (sure wish my sniffer would have been on :( )The local Symantec firewall is being bypassed and most of the services won't start. Term Svcs among others has been set to manual but starts up automatically with Windows (I had it disabled before) and will not allow me to stop the service. I keep the system up to date with patches and AV signatures and use 25 char passwords with fingerprint scanners for the kids to use, so am not certain what they used to exploit, but given time anything can be broken. My fingerprint scanner doesn;t show any failed logon attempts while we were gone but the security logs show numerous failed attempts by all of the accounts so assuming they are trying to remotely access the PC. I'm thinking they gained access to the account that was currently logged in as it shows th at particular account's priviledges were escalated in the log files several times then shortly after it shows the system account making changes to the system. Anyway, if somone could recommend where to start and what tools I should use, I guess this will begin my forensics career and OJT... Much appreciated :)
Current thread:
- They got me!!! pentesticle (Apr 05)
- Re: They got me!!! Ivan . (Apr 05)
- Re: They got me!!! Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Apr 05)
- Re: They got me!!! Dude VanWinkle (Apr 06)
- RE: They got me!!! lucretias (Apr 06)
- Re: They got me!!! Eliah Kagan (Apr 06)
- Re: They got me!!! Valdis . Kletnieks (Apr 06)
- RE: They got me!!! David Gillett (Apr 06)
- RE: They got me!!! Terry Vernon (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Jamie Riden (Apr 06)
- Re: They got me!!! l00t3r (Apr 06)
- Re: They got me!!! Colin Copley (Apr 06)
- <Possible follow-ups>
- RE: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! john . fellers (Apr 06)
- Re: Re: They got me!!! pentesticle (Apr 06)
- RE: Re: They got me!!! Levenglick, Jeff (Apr 06)
- Re: Re: They got me!!! Eliah Kagan (Apr 06)