Posted: Mon Dec 09, 2013 12:15 am Post subject: Re: NTFS intrusion help
my question is: If an network intrusion happens in live NTFS, what are the main components to be retrieved?
and what should I do?
I think the first thing is to better explain your question, perhaps use an example.
For example the question: If a computer running Server 2003 is attacked over the network and a critical flaw in the Windows Shell Handler is exploited, what forensic artifacts will be found in the NTFS file system? Is a significantly different question than: what flaws are in the NTFS file system that could be exploited over the network?
And even those questions are too broad as it would take the person responding pages of writing to answer. In the first you would need to define the attack and what flaw in the shell is being exploited. In the second you would be pointed to Google to find what flaws exist because enumerating flaws is not a forensic question.
A more narrow scenario based question: I am working a hypothetical case where an unpatched Server 2003 box was exploited via weak security on a share. The attacker escalated their privileges and using a weakness in the NTFS move/copy command copied sensitive files from the server. I have looked at the permissions on the folder and the only group I can see with RW permission on the server is "Managers" yet there are no accounts in that group that do not belong.
I have tested adding an account to the group and removing the account but do not see forensic remnants in the file system. Can anyone suggest where to look or other test scenarios that might help?
As is your question is too broad and ill defined to ever get a response.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum