Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: LadTor
New Today: 0
New Yesterday: 1
Overall: 29537

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 is it possible to verify if a HDD was wiped with DBAN
 Forenic artifacts if someone accessed a remote Win10?
 timeline analysis
 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics

Computer Forensics World Forums


Pages Served
We received
55964430
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - NTFS intrusion help
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

NTFS intrusion help

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
the1993
Newbie
Newbie


Joined: Dec 08, 2013
Posts: 4

PostPosted: Sun Dec 08, 2013 6:36 pm    Post subject: NTFS intrusion help Reply with quote

Evening folks,
I am new in this forum and the reason I create my account here is to ask something related to NTFS(new technology file system) and Network intrussion.

my question is: If an network intrusion happens in live NTFS, what are the main components to be retrieved?
and what should I do?

Any help will be appreciated,
thank you very much.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Dec 09, 2013 12:15 am    Post subject: Re: NTFS intrusion help Reply with quote

the1993 wrote:
my question is: If an network intrusion happens in live NTFS, what are the main components to be retrieved?
and what should I do?
I think the first thing is to better explain your question, perhaps use an example.

For example the question: If a computer running Server 2003 is attacked over the network and a critical flaw in the Windows Shell Handler is exploited, what forensic artifacts will be found in the NTFS file system? Is a significantly different question than: what flaws are in the NTFS file system that could be exploited over the network?

And even those questions are too broad as it would take the person responding pages of writing to answer. In the first you would need to define the attack and what flaw in the shell is being exploited. In the second you would be pointed to Google to find what flaws exist because enumerating flaws is not a forensic question.

A more narrow scenario based question: I am working a hypothetical case where an unpatched Server 2003 box was exploited via weak security on a share. The attacker escalated their privileges and using a weakness in the NTFS move/copy command copied sensitive files from the server. I have looked at the permissions on the folder and the only group I can see with RW permission on the server is "Managers" yet there are no accounts in that group that do not belong.

I have tested adding an account to the group and removing the account but do not see forensic remnants in the file system. Can anyone suggest where to look or other test scenarios that might help?


As is your question is too broad and ill defined to ever get a response.
Back to top
View user's profile
the1993
Newbie
Newbie


Joined: Dec 08, 2013
Posts: 4

PostPosted: Wed Dec 11, 2013 1:39 am    Post subject: Re: NTFS intrusion help Reply with quote

Hi PreferredUser, thank you for replying fast and sorry for slow reply from me.

I am aware that my question if far too broad, so what I need to clarify it.

What I am trying to say here is:
Let's say you are working as forensic computing investigator, and now you have a suspect's laptop in crime scene.

You cannot take anything physical from the laptop, however you can actually take whatever non-physical from the laptop.

My question: When I am in this situation, what non-physical thing that I have to retrieve from this laptop which is using NTFS?

For examples, I should take a dd.image of the hard disk and check it at home.
or maybe I can take the NTFS boot sector that contains layout of the disk volume.
Quote:
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Dec 11, 2013 2:38 am    Post subject: Reply with quote

It would probably help if you posted the question exactly as it is stated in the assignment.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Dec 11, 2013 3:19 am    Post subject: Reply with quote

cybercop wrote:
It would probably help if you posted the question exactly as it is stated in the assignment.
Most certainly
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Dec 11, 2013 3:25 am    Post subject: Re: NTFS intrusion help Reply with quote

the1993 wrote:
What I am trying to say here is:
Let's say you are working as forensic computing investigator, and now you have a suspect's laptop in crime scene.

You cannot take anything physical from the laptop, however you can actually take whatever non-physical from the laptop.

My question: When I am in this situation, what non-physical thing that I have to retrieve from this laptop which is using NTFS?

For examples, I should take a dd.image of the hard disk and check it at home.
or maybe I can take the NTFS boot sector that contains layout of the disk volume.
In your school have they taught concepts like Order of Volatility? Any general crime scene procedures?

I would recommend you read the advice from SANS Institute and then rephrase your question.

**http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/**
Back to top
View user's profile
the1993
Newbie
Newbie


Joined: Dec 08, 2013
Posts: 4

PostPosted: Wed Dec 11, 2013 3:42 am    Post subject: Reply with quote

cybercop wrote:
It would probably help if you posted the question exactly as it is stated in the assignment.


Actually it is the question exactly from my assignment without paraphrase (not a bit)

Let me clarify the question again without paraphrasing: If a network intrusion happens in live NTFS system, what are the main components to be retrieved?

Also, I consulted my lecturer and he said that the components which can be get from "http://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx" MIGHT be the answers
Back to top
View user's profile
the1993
Newbie
Newbie


Joined: Dec 08, 2013
Posts: 4

PostPosted: Wed Dec 11, 2013 3:58 am    Post subject: Re: NTFS intrusion help Reply with quote

PreferredUser wrote:
the1993 wrote:
What I am trying to say here is:
Let's say you are working as forensic computing investigator, and now you have a suspect's laptop in crime scene.

You cannot take anything physical from the laptop, however you can actually take whatever non-physical from the laptop.

My question: When I am in this situation, what non-physical thing that I have to retrieve from this laptop which is using NTFS?

For examples, I should take a dd.image of the hard disk and check it at home.
or maybe I can take the NTFS boot sector that contains layout of the disk volume.
In your school have they taught concepts like Order of Volatility? Any general crime scene procedures?

I would recommend you read the advice from SANS Institute and then rephrase your question.

**http://computer-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/**


Thank you so much PreferredUser!
The websites that you attached might be the closest answer to my question.

And no, they haven't taught any concept similar with order of volatility. Therefore by reading the article you gave, I have an idea of how to answer the question
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.