Computer Forensic Investigative Analysis Report Incident Report Number 2013-11-5,II.V1.0 Report Name...

FORENSIC REPORT # 5758 AAA Computer Forensics: Business Use Only

Computer Forensic

Investigative Analysis Report

Incident Report Number 2013-11-5,II.V1.0Report Name Investigation of Incident # 5458Location Category Internal, InternetReported Incident Date 11/5/2013

AAA Computer Forensics: Business Use Only 1 of 12

FORENSIC REPORT# 5758 AAA Computer Forensics: Business Use Only

Table of Contents

Executive Summary...............................................3

1.0 Initial Incident Discovery..................................4

1.1 Summary.................................................4

1.2 Action Items............................................4

1.3 Identified Computer System(s)...........................5

1.4 Security Mechanisms.....................................5

1.5 Initial Forensic Discovery..............................5

1.6 Initial Corrective Action...............................5

1.7 Participants............................................5

2.0 Forensic Process............................................6

2.1 Tools...................................................6

2.2 Investigation Structure.................................6

2.3 Procedure…………………………………………………………………………… 7

3.0 Results and Findings........................................8

3.1 Summary.................................................8

3.2 Findings................................................8

3.3 Corrective Actions/Recommendations.....................12



Executive Summary

AAA Computer Forensics was approached by Corporation Techs to

perform a forensic investigation on a part of its system. It is known

that Corporation Techs has been struggling to maintain its customer

base due to fierce competition with rival firm NetTech24x7. The reason

for this investigation is due to a potential incident that was

reported to the owner by a disgruntled former employee of NetTech24x7.

The tip was that sensitive Corporate Tech documents such as internal

strategy memos, customer lists, and other confidential information

were being passed along to a Sales Manager at NetTech24x7.

Based off of the analysis that we were able to complete, and

with the evidence we have compiled we have been able to come a

conclusion and final report. In regards to the claim that sensitive

files are being uploaded to the FTP site on the web server, and

downloaded by an external competitor, the evidence was inconclusive.

We looked at FTP transmissions and well as the contents of those

documents contained in them. There is no evidence to support the

former NetTech24x7 employee’s claim. However, we did find evidence of

potential fraudulent activity happening inside Corporate Tech’s

internal network.



1.0 Initial Incident Discovery1.1 Summary

AAA Computer Forensics was approached by Corporation Techs

to perform a forensic investigation on a part of its system.

It is known that Corporation Techs has been struggling to

maintain its customer base due to fierce competition with

rival firm NetTech24x7. The reason for this investigation is

due to a potential incident that was reported to the owner by

a disgruntled former employee of NetTech24x7. The tip was

that sensitive Corporate Tech documents such as internal

strategy memos, customer lists, and other confidential

information were being passed along to a Sales Manager at

NetTech24x7.

The claim is that the files were downloaded from the

Corporate Tech website; the former employee however did not

know which specific folder was accessed to download the

files. The concern is that sensitive internal documents from

Corporate Techs network might be accessible to their

competitor. Additionally it needs to be considered that being

a former employee of NetTech24x7, that the informant could

also be providing a false claim.

1.2 Action Items- A thorough search of the Web site – Web Server

Administrator

- Capture a segment of network data – Security Analyst

- Produce an image of the system in question – Forensic Technician



- Analyze the captured packet trace via Wireshark and Netwitness – Security Analyst

- Complete investigation of the system image using P2 Commander – Security Analyst

- Detailed list of findings – Forensic Case Manager

- Case Forensic Analysis Report – Forensic Case Manager

1.3 Description of system(s) in questionThe primary systems under investigation are the web server,

since this is where the files that are displayed from the

website are accessed. The web server contained all the files

that are contained on the site and where they are managed.

This system is located in a DMZ in the network for security

purposes. This server is connected to three work stations

that are used to update content on the web site. These

systems are the only internal access points to the web

server.

1.4 Security MechanismsIn order to help direct the search and ability to locate the

access point of the incident, AAA Computer Forensics audited

the current security measures in place to prevent

unauthorized access to the web server or the workstations

used to update the site content. After investigation we did

identify that there is a firewall in place as well as an

intrusion detection system. Additionally, the web server is



located in a demilitarized zone on the network, separate from

Corporate Tech’s internal network.

In regards to the work stations used to update the site

content on the web server, the work stations are in a

restricted area and there are group policies in place to

restrict access to the machine.

1.5 Initial Forensic DiscoveryDuring the initial discovering phase, we detected no unusual

files on the Corporate Tech web site. We did also detect some

activity between a workstation used to modify the web site

and the FTP site where new files for the site and server are

uploaded.

1.6 Initial Corrective ActionIn order to temporarily avoid risk and to perform the analysis the following corrective actions will be put into effect:Restricted access to Web Server: In order to prevent

additional access to the web server and its resources, we have locked down the three workstations used to update web site content, and have prevented access to the web server as well as the FTP site.Security Logs: Logs will be kept on all access to the Web

Server as well as audit logs for failed and successful log inattempts.

1.7 ParticipantsName Extension TitleKasie Thrasher X 2841 Forensic Case ManagerKamiren Hawkins X 2843 Security AnalystAntonio Miller X 4956 Forensic TechnicianAndrew Owens X 4865 Web Server Administrator



2.0 Forensic ProcessThe following are the steps used to perform the investigation. This section will describe the actions taken to complete the investigation.

2.1 ToolsThe tools that were used in this investigation to complete this analysis were as follows:

Wireshark:

Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto standard across many industries and educational institutions. Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface,not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.NetWitness Investigator:

NetWitness Investigator is a sophisticated analysis program that provides real-time network forensics and automated threat analysis solutions. P2 Paraben Commander:

Paraben's P2 Commander is a comprehensive digital forensic tool designed to handle more data, more efficiently while keeping to Paraben's P2 Paradigm of specialized focus of the entire forensicexam process. P2 Commander utilizes Paraben's advanced plug-in architecture to create specialized engines that focus on such things as E-mail, Network E-mail, Chat Logs, File Sorting, Internet file analysis and more all while increasing the amount of data that can be processed and utilizing resources through multi-threading and task scheduling. 2.2 Investigation StructureThis investigation was broken into three parts in order to maintain structure and organization.

1. Initial Discovery:



In this phase we used Wireshark and NetWitness Investigator to analyze the packet trace .pcap file to analyze the traffic between a workstation and the web server. Since the issue is that sensitive files are being accessed from the web site on thecompany’s web server, via files uploaded to the FTP site.

2. Image Analysis: Based off of the information gathered from the packet trace file, there was communication between one of the workstations and the server. Our team created an image of the workstation hard drive for further investigation.

3. Case Report:After thorough investigation, we were able to draw conclusions, after going through the data. We were then able to draw the conclusion on this case and generate a report.



2.3 Procedures1. Wireshark analysis of FTPcapture.pcap file:

The FTP capture was imported into Wireshark and the transmissions were sorted by protocol in order to identify the FTP requests and responses. The contents of those requests and responses were documented as well as the sourceand destination IP addresses.

2. NetWitness Investigator analysis of FTPcapture.pcap file:Once we completed the Wireshark portion of the investigation, the ftp capture file was imported into NetWitness. We were able to look closer at the specific transmissions and document the specific sources and destinations. We confirmed the users that were preforming the requests, and questionable files that were involved in the FTP transmissions.

3. P2 Paraben Commander investigation of workstation image:The FTP capture resulted in the identification of a workstation that was documented as having transmitted requests to the FTP site on the web server. Once an image file was created of the workstation in question, we created a new case in P2 Commander. The files were sorted to maintain organization. The Forensic Technician investigated the following types of files:

A. Documents – [to investigate documents found in the packet trace file]

B. Email – [to locate possible communication to external locations]

C. Chats – [to document potential communication about case]D. Spreadsheets [to search for unauthorized stored customer

data]E. Graphics – [to detect images that could be documenting

customer data]F. Databases – [to detect possible unauthorized storage of

customer data]



G. Executable – [to search for programs that could transmit sensitive files]

H. Compressed – [to search for compressed files containing sensitive information]

Once the analysis of the image was complete, the AAA forensics case manager was able to prepare the evidence for the case report.

3.0 Results and Findings3.1 Summary

In our investigation, the AAA Computer Forensic team performed a forensic analysis of the web server and workstations at Corporate Tech. Our focus was primarily on anFTP packet trace captured between the FTP site on the web server and one of the workstations used to update the web site content.We used several forensic tools to perform the analysis of theFTPcapture.pcap file and a forensic image of the workstation that sent packets to the web server.Based off of the analysis that we were able to complete, and the evidence we have compiled we have been able to come a conclusion and final report.In regards to the claim that sensitive files are being uploaded to the FTP site on the web server, and downloaded byan external competitor, the evidence was inconclusive. We looked at FTP transmissions and well as the contents of thosedocuments contained in them. There is no evidence to support the former NetTech24x7 employee’s claim.



However, we did find evidence of potential fraudulent activity happening inside Corporate Tech’s internal network.

3.2 FindingsIn figure 1, an anonymous user requests access and provides the incorrect

login

Figure 1

In figures 2, the user “badguy” requests access and uses apassword “you will never guess this!!

Figure 2

In figures 3 - 6 of the FTP transmission, we see the followingactivity:

-The system command is used to gather information about theweb server

- The user badguy makes a request to print working directory(a pathname is created)

- Transfer mode is switched to Binary- The FTP server mode is switched to passive (It should be noted that this mode makes a connection

through port 21, but will cause the server to



create a transmit connection through a random port.- The user requests the size of a file- The user requests the time a file was last modified(These commands fail and a TCP reset is captured in thetransmission)- The user changes the working directory- The user lists the files in the working directory- An ASCII data connection is made to a source labeled

“essbase”- Two files are transferred: badnotes1.txt and

badnotes2.txt- Both transfers completed.

Figure 3

Figure 4



Figure 5

Figure 6



Once we completed the analysis of the FTP transmission, the image was reviewed and we found the following in the emails folder:

Email 1From ???@??? Thu Sep 02 22:59:29 2010..Received: (qmail 3602 invoked by uid 1004); 3 Sep 2010 02:54:55 -0000..Date: 3 Sep 2010 02:54:55 -0000..Message-ID: <[email protected]>..To: [email protected]: Gawab Team <[email protected]>..Mime-Version: 1.0..Subject: Welcome to Gawab.com..Content-Type: text/plain; charset=iso-8859-1..Content-Transfer-Encoding: 8bit....Congratulations! You are now registered togawab webmail, a reliable, user friendly and intuitive e-mail solutions with many useful features.........Import contacts ....You can import your contacts from Microsoft Office Outlook or Outlook Express to get started sending e-mail to the people. Simply go to the Address book page of Gawab, and then select Import Contacts.........Choose your Webmail Look....You can make your webmail looks the way you like by choosing from many different and unique themes. From the Mail page, click Options. The Options page offers you many themes for your Gawab Webmail.........Enjoy a lot of features....Gawab has so many features and services to offer you, but we don't want to overload you with too much of a good thing - see more of what Gawab Webmail can offer you. ........So take the first step and add friends, then discover all you can do with Gawab. ........Sincerely,....Gawab Team..

This email is evidence of a program designed to bypass company email is being used by an employee.



Email 2

From ???@??? Thu Sep 02 23:02:44 2010..To: [email protected]: badguy11111 <[email protected]>..Subject: ..Cc: ..Bcc: ..X-Attachments: C:\Documents and Settings\Administrator\Desktop\badnotes1.txt;..In-Reply-To: ..References: ..Message-Id: <[email protected]>....Here is the conversation if had with the suspect. He has no idea I'm undercover.....I will forward you more information as i haveit.....Ron..From ???@??? Thu Sep 02 23:04:11 2010..To: [email protected]: badguy11111 <[email protected]>..Subject: ..Cc: ..Bcc: ..X-Attachments: C:\Documents andSettings\Administrator\Desktop\badnotes1.txt;..In-Reply-To: ..References: ..Message-Id: <[email protected]>....Here is the conversation if had with the suspect. He has no idea I'm undercover.....I will forward you more information as i haveit.....Ron..From ???@??? Thu Sep 02 23:08:25 2010..To: [email protected]: badguy11111 <[email protected]>..Subject: ..Cc: ..Bcc: ..X-Attachments: C:\Documents andSettings\Administrator\Desktop\badnotes2.txt;..In-Reply-To: ..References: ..Message-Id: <[email protected]>....Here is more information.......He has connections that get him credit card numbers, I still don't know any names he's very carefulnot to mention names.....standby until further contact...../Ron..

This email is suspicious in that the writer is discussing someone being under cover and that the person someone is following is careful not to mention names.

In figure 7, we were able to locate both files that were transferred in the FTP transmission on the desktop of the Administrator user.

Figure 7



Below are the contents of both files:badnotes1.txt:“Notes: Remember to gather up all the users you collected with their passwords, this will be useful when trying to make the money transfer.....They will not know what hit them, we are going to be rich!!!....Have fun transferring all the money!....”badnotes2.txt:Notes...Remember to deposit the money on our account; I need to buy mynew car. I'm so excited to see how much you can collect from the stolen credit cards.....I was able to collect 200,000+ credit card numbers, I hope you can print some cards so we can go shopping.......Also remember to delete this file after you read it, I don't want the ftp administrator to see them.....cya!!

3.3 Corrective Actions/ RecommendationsBased off of this Computer Forensic Analysis Investigation Report, we recommended the leadership at Corporate Tech take the following measures:← - Create a separation of duties← - Implement a software restriction policy to restrict the

software users are allowed to run← - Implement a dictionary scan software to flag phrases contained

in company email← - Apply a group policy object to set an account lockout policy← - Create a group that has permissions to specifically use the

FTP service← - Create a group policy that limits the FTP commands that users

can run


Computer Forensic Investigative Analysis Report Incident Report Number 2013-11-5,II.V1.0 Report Name...

Documents

Transcript of Computer Forensic Investigative Analysis Report Incident Report Number 2013-11-5,II.V1.0 Report Name...