@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #204: Sunday Funday 1/12/14 Winner!

Hello Reader,
          I thought this weeks challenge would have gotten more of you to write in with your best stories. Instead I received just one submission that was willing to tell a story, in return he just won a $1495 ticket to the SANS DFIR Summit. Take this as a lesson, if your answer or response isn't in your mind the greatest thing ever ... it may be enough to win! I'll take care of filling in the details you missed in later blog entries.

The Challenge:
 Write your most challenging DFIR case and how you overcame the obstacles and the outcome. I'll take the top best cases based on our opinion and open it up for voting to all of you to pick the winner. Any kind of DFIR case is valid here, there are no boundaries on what makes something a good case. We will be judging your case with the following criteria to determine those cases to vote for:
1. Technical Challenges faced
2. Novel solutions
3. Result of your work
4. Interesting scenario
The Winning Answer:

 
This was one of my first DFIR experiences so I learned a lot from this and got me my first taste and want to get into IR and forensics.

I was working as a NT Server administrator for a dot com back in the late 90s/00s.  The security team for the company was contacted by a three letter agency that our IP addresses had been seen in part of another case they were working on led them to believe we had a compromised host.  The IP address given to us was of course the one and only email server for the entire company.  We had a dedicated security team but they were all linux guys and we were using NT4 and Exchange 5.5 for email.  Being the lone windows admin meant the investigation fell upon me.  I was told that to make sure the investigation was in-depth as if it wasn’t then there was a chance the three letter government agency may come in and seize the equipment.

First the technical challenges faced:
This was a long time ago and DFIR is not what it is today so the tools, documentation, etc was not what it is today so one of the first challenges was having to make it up as I went along.  Since it was a mail/web server it obviously had several paths of entry.  First I went and logged directly into the server from the console and began looking at running processes and other active sessions on the system.  I ended up finding Serv-U FTP had been installed and had a user list with accounts that were all using leetspeak.  Luckily the ports being used for Serv-U FTP was blocked at the firewall so it had only been installed but wasn’t able to be accessed.  As part of the investigation I also ran into some a folder that were flagged as hidden and no matter what I did to change permissions I could not access it.  

Novel solution:
After trying several methods to access it I dug out an old copy of dos based file/folder viewer.  It somehow was able to ignore permissions, flags, etc and allowed access to it.  Within the folder I was able to find a clear text log file from where msgina.dll had been replaced and any accounts that had logged directly into the console had been logged with their password in clear text! This was both good and bad as it was the first time I had seen my own account and the domain admin account in a clear text keylog file.  This of course led to more efforts and had to force password changes on every account, service, etc.

Results of the work:
Since the server was obviously compromised the end result was the decision to wipe and rebuild the server.  Of course this was all decided on a Friday afternoon and it was my task to now figure out how to wipe the OS, rebuild it, and retain all the MS Exchange databases and have it all back clean and working by Monday morning to minimize the impact to the company.  Given this scenario I made my first and only call to Microsoft to get exact detailed directions from them on the process of rebuilding an Exchange server but retaining all the mail databases.  So just to ensure I could successfully do this I took the process and verified I could successfully complete it using other hardware before I completely wiped the lone corporate mail server.  After a very late night on Friday I had success and came back in the next day and had to repeat the process on the real server.  In the end the agency didn’t come take away our mail server, I got to learn more about IR and Exchange, and I ended up finding an interest in the security side of IT.  So to whoever it was all those many years ago thanks for helping me find the desire and interest in having a career in DFIR.

TLDR; Bad guys own company mail server, server admin thrown into DIFR and decides to make a career of it.
Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.