John B. Baird
Computer Forensic Portfolio
Open to relocation
johnbairdpc at gmail dot com
Network Forensic Analysis of Server Intrusion
John B. Baird
Case brief 1
[VICTIM COMPANY] appeared to have suffered a network attack from an outside source to one of their servers. An employee mentioned that someone had been logging onto his account without his permission. The IP address [IP 1] was being accessed by an unknown party. The IP address belonged to a Linux computer within the company. A seizure of the computer was performed in a manner consistent with recommendations found in Electronic Crime Scene Investigation: A Guide for First Responders. Employees of [VICTIM COMPANY] also created logs of recent network activity. The computer was entered into evidence according to agency policy and I verified that a search warrant was not needed as [VICTIM COMPANY] signed written permission to examine the computer. The computer was submitted for examination.
Objective: To determine whether an attack occurred to [VICTIM COMPANY]’s network and / or computers and what activity occurred.
Computer type: Offbrand desktop, serial # N/A.
Operating system: Linux Redhat
Offense: Knowingly accessing a protected computer with the intent to defraud and thereby obtain anything of value.
Case agent: Investigator John B. Baird
Evidence number: [REDACTED]
Chain of custody: See attached form.
Where examination took place: Remote
Tools used: Ultradock, Guidance Software EnCase, HashTool.
Assessment: Reviewed the case investigators requested for service. The signed investigation permission form provided legal authority. The investigator was interested in finding all information pertaining to unauthorized access and any activity surrounding unauthorized access. It was determined that the equipment needed was available in the forensic lab.
Imaging: The desktop hard drive was set to have a digital duplication made:
1. The desktop computer was examined and photographed.
a. The hardware was examined and documented.
b. The hard drive was taken out of the desktop.
c. The hard drive was connected to the Ultradock device with the device set to “write block” mode to prevent changing any digital evidence on the drive.
d. EnCase made a bit-by-bit image transfer of the hard drive.
e. MD5 hash values of the hard drive and hard drive image were verified as forensically sound duplications with EnCase.
d. MD5 hash values of the hard drive and hard drive image were verified as forensically sound duplications a second time with HashTool.
e. The desktop and desktop hard drive were logged and locked into an evidence locker.
Examination: The desktop directory and file structures, including file dates and times, was recorded. Examination of the live response and network activity was conducted. It was soon confirmed that an attacker did access the computer. The attacker attacked the computer through an exploit of a printer listening port (515 TCP). The attacker’s IP address was [IP 2]. The attacker opened a backdoor on port 2,323 TCP. This port was used as a “datapipe” to redirect traffic to port TCP 23. The attacker downloaded a file, “files.tar.gz”, from the victim computer which contained files belonging to [VICTIM COMPANY] as well as downloading and uploading various other files. The user added himself as a user account on the network, “[REDACTED]”. The attacker than ran a brute-force hacking attempt on the password file in order to gain access to the user account “[REDACTED]”. The attacker then shutdown Telnet and FTP services before the company discovered the attack and shutdown access to the network and computers.
REPORT OF MEDIA ANALYSIS
Forensic Media Analysis Report
SUBJECT: JOHN DOE NETWORK INTRUDER
Case Number: [REDACTED]
1. Status: Closed.
2. Summary of Findings:
* Network and digital forensic evidence showing an attacker breached [VICTIM COMPANY]’s network, compromised user accounts and transferred files from victim computer.
1. Items Analyzed:
TAG NUMBER: ITEM DESCRIPTION:
[REDACTED] Offbrand Desktop, Serial # N/A
1. Details of Findings:
* Findings in this paragraph related to the Maxtor Hard Drive, Serial # [REDACTED], recovered from tag number [REDACTED], Offbrand Desktop, Serial # N/A.
1. The examined hard drive was found to contain a Linux Redhat operating system.
2. portscan.log contains port scan attempts from attacker’s IP address [IP2] to victim machine’s IP address [IP1].
3. Exploit detected, “EXPLOIT redhat 7.0 lprd overflow” http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0917 Attacker exploiting printer service on port 515 TCP on [IP1].
4. Attack detected “ATTACK RESPONSES id check returned root” http://www.snort.org/search/sid/498?r=1 “This event is generated by the use of a UNIX “id” command. This may be indicative of post-compromise behavior where the attacker is checking for super user privileges gained by a successful exploit against a vulnerable system.”
5. Failed log-in attempts detected, “TELNET login incorrect”, hundreds of alerts. Attacker trying to hack password to log into system.
6. Attacker performs brute-force attack against port 515, eventually succeeds and gains access.
7. Attacker creates hidden directory “.kde”
8. Attacker attempts to download all files beginning with the word “wark”.
9. Attacker creates a user account “[REDACTED]” with root access using the password “[REDACTED]”.
10. Attacker creates “.rhosts” file in root directory.
11. Attacker performs brute-force attack against password file, gains access to user account “[REDACTED]”.
12. Attacker downloads “files.tar.gz” from victim computer.
13.Attacker uploads hacking files, “brutus.pl”, “Net-Telnet-3.03.tar.gz”, “allwords.txt”.
14. Attacker downloads files “rate20.tar”, “pete-1.6.tar.gz”.
15. Attacker remotely excutes program “datapipe.c” from attacker’s own FTP site.
5. Conclusion: Attacker gained access to the system because the operating system did not have numerous security patches installed. The attacker was able to exploit a printer service in order to remotely gain access to the system over the internet. The attacker created full access to the victim machine and network by first creating the user “lpd” and then cracking the password of legitimate user “[REDACTED]”. The attacker downloaded sensitive files from [VICTIM COMPANY] and uploaded tools to help hack other machines on the network for future use. The attacker then shutdown network services of Telnet and FTP on the network. Network security can be restored by removing user accounts and services created by the hacker, removing files from the victim machine (listed in the hard copy report), installing all security patches to all computers connected to the network and password protecting the boot loader file of Linux.
This appears to be violations of the Computer Abuse and Fraud (CAF) Act. This case meets the criteria of the CAF Act:
Intentionally accessing a computer without authorization to obtain:
Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer;
Information from any department or agency of the United States; or
Information from any protected computer.
Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
* Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
* The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
* Physical injury to any person.
* A threat to public health or safety.
* Damage affecting a government computer system
* Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.
* Making changes in any information on the computer systems of the USA with the intention of misleading or hiding certain information.
* IP stands for “internet protocol” and functions like a phone number for the internet.
* Imaging is the process of making an exact clone of a drive.
* MD5 is like a fingerprint of digital media used to ensure duplications are forensically sound clones of files.
* Telnet and FTP are network services for computers and devices.
* tar.gz is a compressed type of file.
* Exploit is a flaw in software that compromises security.