| View previous topic :: View next topic |
| Author |
Message |
the1993
Newbie
Joined: Dec 08, 2013
Posts: 4
|
 Posted: Sun Dec 08, 2013 6:36 pm Post subject: NTFS intrusion help |
 |
|
Evening folks,
I am new in this forum and the reason I create my account here is to ask something related to NTFS(new technology file system) and Network intrussion.
my question is: If an network intrusion happens in live NTFS, what are the main components to be retrieved?
and what should I do?
Any help will be appreciated,
thank you very much. |
|
| Back to top |
|
 |
PreferredUser
Newbie
Joined: Jan 01, 2007
Posts: 1130
Location: USA
|
| Posted: Mon Dec 09, 2013 12:15 am Post subject: Re: NTFS intrusion help |
|
|
| the1993 wrote: | my question is: If an network intrusion happens in live NTFS, what are the main components to be retrieved?
and what should I do? |
I think the first thing is to better explain your question, perhaps use an example.
For example the question: If a computer running Server 2003 is attacked over the network and a critical flaw in the Windows Shell Handler is exploited, what forensic artifacts will be found in the NTFS file system? Is a significantly different question than: what flaws are in the NTFS file system that could be exploited over the network?
And even those questions are too broad as it would take the person responding pages of writing to answer. In the first you would need to define the attack and what flaw in the shell is being exploited. In the second you would be pointed to Google to find what flaws exist because enumerating flaws is not a forensic question.
A more narrow scenario based question: I am working a hypothetical case where an unpatched Server 2003 box was exploited via weak security on a share. The attacker escalated their privileges and using a weakness in the NTFS move/copy command copied sensitive files from the server. I have looked at the permissions on the folder and the only group I can see with RW permission on the server is "Managers" yet there are no accounts in that group that do not belong.
I have tested adding an account to the group and removing the account but do not see forensic remnants in the file system. Can anyone suggest where to look or other test scenarios that might help?
As is your question is too broad and ill defined to ever get a response. |
|
| Back to top |
|
|
the1993
Newbie
Joined: Dec 08, 2013
Posts: 4
|
| Posted: Wed Dec 11, 2013 1:39 am Post subject: Re: NTFS intrusion help |
|
|
Hi PreferredUser, thank you for replying fast and sorry for slow reply from me.
I am aware that my question if far too broad, so what I need to clarify it.
What I am trying to say here is:
Let's say you are working as forensic computing investigator, and now you have a suspect's laptop in crime scene.
You cannot take anything physical from the laptop, however you can actually take whatever non-physical from the laptop.
My question: When I am in this situation, what non-physical thing that I have to retrieve from this laptop which is using NTFS?
For examples, I should take a dd.image of the hard disk and check it at home.
or maybe I can take the NTFS boot sector that contains layout of the disk volume. |
|
| Back to top |
|
|
cybercop
Newbie
Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA
|
| Posted: Wed Dec 11, 2013 2:38 am Post subject: |
|
|
| It would probably help if you posted the question exactly as it is stated in the assignment. |
|
| Back to top |
|
|
PreferredUser
Newbie
Joined: Jan 01, 2007
Posts: 1130
Location: USA
|
| Posted: Wed Dec 11, 2013 3:19 am Post subject: |
|
|
| cybercop wrote: | | It would probably help if you posted the question exactly as it is stated in the assignment. |
Most certainly |
|
| Back to top |
|
|
PreferredUser
Newbie
Joined: Jan 01, 2007
Posts: 1130
Location: USA
|
| Posted: Wed Dec 11, 2013 3:25 am Post subject: Re: NTFS intrusion help |
|
|
| the1993 wrote: | What I am trying to say here is:
Let's say you are working as forensic computing investigator, and now you have a suspect's laptop in crime scene.
You cannot take anything physical from the laptop, however you can actually take whatever non-physical from the laptop.
My question: When I am in this situation, what non-physical thing that I have to retrieve from this laptop which is using NTFS?
For examples, I should take a dd.image of the hard disk and check it at home.
or maybe I can take the NTFS boot sector that contains layout of the disk volume. |
In your school have they taught concepts like Order of Volatility? Any general crime scene procedures?
I would recommend you read the advice from SANS Institute and then rephrase your question.
**http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/** |
|
| Back to top |
|
|
the1993
Newbie
Joined: Dec 08, 2013
Posts: 4
|
| Posted: Wed Dec 11, 2013 3:42 am Post subject: |
|
|
| cybercop wrote: | | It would probably help if you posted the question exactly as it is stated in the assignment. |
Actually it is the question exactly from my assignment without paraphrase (not a bit)
Let me clarify the question again without paraphrasing: If a network intrusion happens in live NTFS system, what are the main components to be retrieved?
Also, I consulted my lecturer and he said that the components which can be get from "http://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx" MIGHT be the answers |
|
| Back to top |
|
|
the1993
Newbie
Joined: Dec 08, 2013
Posts: 4
|
| Posted: Wed Dec 11, 2013 3:58 am Post subject: Re: NTFS intrusion help |
|
|
| PreferredUser wrote: | | the1993 wrote: | What I am trying to say here is:
Let's say you are working as forensic computing investigator, and now you have a suspect's laptop in crime scene.
You cannot take anything physical from the laptop, however you can actually take whatever non-physical from the laptop.
My question: When I am in this situation, what non-physical thing that I have to retrieve from this laptop which is using NTFS?
For examples, I should take a dd.image of the hard disk and check it at home.
or maybe I can take the NTFS boot sector that contains layout of the disk volume. |
In your school have they taught concepts like Order of Volatility? Any general crime scene procedures?
I would recommend you read the advice from SANS Institute and then rephrase your question.
**http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/** |
Thank you so much PreferredUser!
The websites that you attached might be the closest answer to my question.
And no, they haven't taught any concept similar with order of volatility. Therefore by reading the article you gave, I have an idea of how to answer the question |
|
| Back to top |
|
|
|
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
