Logo
RSS Feed

👈🏼 Back to
💼 Sample Cases

Forensic Cases 💼

A Study in Black

Someone has violated corporate policy by watching porn using the corp PC.

Do you have the authority?

What are the expected results?

Some prohibited internet traffic. Check network logs of an application layer firewall 🔥 or content filter (any gateway between the suspect and the network), filter them out. But the user was smart enough to use VPN. What’s then? Application layer firewall only sees application traffic, it is not aware of TCPs, Shudipis and etc. Read this article about TCP/IP stack to understand better why application layer firewalls won’t see anything other than what’s on top.

Case 1. IP Theft Linux Investigation

Nearly all IP (intellectual property) are recreated by a competitor. Investigate the development machine

Potential data exfiltration.

  1. netstat -lpeanut shows that there are two dhcp clients running, one using unusual port and user:

img

  1. ps aux | grep 40500 or ps aux | grep dhclient shows the running processes and sometimes commands used to run them. This suspicious client was run from /tmp folder:

img5

  1. ls -la /tmp/ to see the file that was launched. But nothing there. Seems that the file was deleted after being launched:

img6

Case 3. Yet Another Linux Investigation

  1. Running netstat, see the weird python script with established connection to some remote host:

mg10

  1. Grab the executable: lsof -p 2082 and ps aux grep 2082.

img11

  1. Let’s see the /tmp/ folder for backdoor executable
  2. Check /proc/2082 and ls

img12

  1. Since the executable is a legitimate python, need to explore further. In /proc/2082 run sudo cat cmdline shows the comand used to launch, cat task/2082/children shows children PID. sudo cat status shows general information. cat environ shows … . cat arp shows MAC addresses of the machines connected:

img1

Case 4. Compromised Apache Server

Compromised Apache Web server with drupal application used for local team. There was some unusual activity noticed between 05/10 and 08/10/19.

You need to preserve edidence and some commands override artifacts (like find). Disable access times

  • sudo mount -o remount,noatime /dev/... or:
  • mkdir /mnt/extdrv/rootvol
  • rootvol=/mnt/extdrv/rootvol
  • sudo mount --bind / $rootvol
  • sudo mount -o remount,ro $rootvol

User activity: /etc/passwd. sudo debugfs -R 'stat <1835260>' /dev/....

img2

checking groups. tail -n 4 /etc/group, grep -E 'mail' | php' /etc/group

Case 5. Kali Linux Data Exfiltration

IP theft and Kali Linux is a suspect. Has the user exfiltrated pictures or documents?

Can look for info in xdg directories:

  • ~/.cache ($XDG_CACHE_HOME)
  • ~/.local/share ($XDG_DATA_HOME)
  • ~/.config ($XDG_CONFIG_HOME)

Can look for info in non-xdg dirs:

  • ~/.<application_name>
  • ~ (user home dir)

cat .bash_history and defaults in ./bashrc. For Kali ~/.msf4/history (doesn’t log commands for the remote shell), ~/.nc_history (created if rlwrap was used to run nc. Also ~/.viminfo: cmd history, string search history, input-line history, contents of non-empty regs, marks for several files, file marks pointing to locs in files, last search/sub pattern for ’n’ or ‘&’, buffer list, global vars. ~/.cache/sessions - by xfce-session and only if sessions are saved: list of open progs that were saved from last session (when the user last logged out) for recent Kalis. Xfce-session-[hostname]:0 and .bak - prev version of it. Client - prog or windows that needs to be opened. At the end of the file the amount of progs that are to be run and last time this session was last saved (not opened by user ). XFWM - xfce window manager.