Setting the Scene:
You're a consultant who has been called in to conduct a forensic investigation for Bob's Chili Burgers LLC. Bob Barnascus, owner of the company, is disturbed by customer reports that their website was infecting customers with malware. The website was just debuted and within an hour customers sent complaints and legal threats. Bob and his executive leadership team of crack Chili experts have asked the below analytic questions to guide your analysis.
Figure 1: Bob's lengthily developed website captures the essence and substance of his well reputed business. |
Mounting the Image on SIFT or Kali:
- Place the image in your /cases directory
- sudo su # become root
- ewfmount /cases/BobsFamousChiliCase_Logical.E01 /mnt/ewf_mount1/ # Mount the E01 as a RAW in /mnt/ewf_mount1/
- mount -t ext4 -o ro,loop,noexec,noload /mnt/ewf_mount1/ewf1 /mnt/e01 # Mount the RAW in /mnt/e01, use "noload" option to fix filesystem
https://digital-forensics.sans.org/blog/2011/11/28/digital-forensic-sifting-mounting-ewf-or-e01-evidence-image-files
https://digital-forensics.sans.org/blog/2011/06/14/digital-forensics-mounting-dirty-ext4-filesystems
Questions:
- Verify SHA1 Checksum of the image provided:
- Through what protocol was this system compromised?
- What distribution and version is this system?
- What country is the attacker's IP address from?
- What time was the attacker account created in UTC (XX:XX:XX format)?
- What port is the protocol used to compromise the system set on?
- How many different countries are represented by the IP's in the web server log?
- What date and time (directly copy/paste from log) did the attacker first log in?
- What is the IP that failed to log in directly before the attacker successfully logged in?
- What day of the week does the attacker's cron job fire?
- What is the name of the user account the attacker made?
- The attacker set a password for the account that they made, what is it set to?
- The attacker changed the root password, what is it set to?
- What addition to the website is causing users to get redirected to malicious pages?
- What exploit kit is the link associated with?
- What is the sha256 hash of the first file the attacker added to /var/www/html?
- What is the ClamAV name for the second file the attacker added to /var/www/html?
- What file was exfiltrated?
- What command line tool did the attacker use to exfiltrate the file?
- BONUS: URL for the exfiltrated file?