OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Collins, Steve (Steve.Collinsnrc.ca)
Date: Tue Mar 12 2002 - 14:44:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Brandon,

    After any files like your original logs have been deleted, the space they
    once occupied is fair game for any data that comes along. That space was
    likely partially overwritten by the modified logs you sent back to the
    server.

    As for the space occupied by the tools,(I am assuming you deleted them
    _after_ uploading the logs) Windows modifies quite a number of files during
    the shutdown process and this activity probably overwrote that space.

    Cheers,

    Steve Collins GIAC NTSA
    Information Systems Security Analyst
    Information Protection Centre
    National Research Council of Canada
    Ottawa, Ontario K1A 0R6

    -----Original Message-----
    From: Young, Brandon [mailto:Brandon.YoungHoneywell.com]
    Sent: Tuesday, March 12, 2002 12:54 PM
    To: 'forensicssecurityfocus.com'
    Subject: Encase and data recovery

    All,

            My colleague and I setup a default installation of IIS web server
    5.0 on Windows 2000 Server using NTFS. We put
    together a mock incident response scenario where one of us broke into the
    machine dropped tools on it, edited web server
    logs to cover tracks, deleted event logs to cover up auditing tracks and
    then deleted all of the tools off.
            During the incident response phase we used Encase to investigate
    what actually was done to the box, since from
    the investigator's point of view, the logs had obviously been edited and
    therefore couldn't be relied upon. When he
    looked through the evidence files there was no remnants left of the original
    logs, as well as only a partial listing of
    the tools that were dropped on during the break in.
            The question we have is why weren't we able to recover the original
    logs? What I did when I broke into the
    server was stop the w3svc and tftp the IIS logs up and edited them, deleted
    the old logs and replaced them with the
    edited versions. In addition to this Encase only saw about three of the six
    or so tools I used while I was in the
    server. Why was Encase only able to recover some of tools used in the
    incident?

    One answer we came up with was that the OS used the unallocated space where
    the tools previous existed and therefore
    were overwritten. But this seems unlikely since there wasn't any legitimate
    activity on the machine. This box was only
    used for this scenario.

    Any ideas?

    Thanks,

    Brandon Young
    CISSP, CCSA, CCSE, CCNA, MCSE
    Information Security Engineer
    Honeywell International
    Global IT Security & Systems Assurance
    Email: brandon.younghoneywell.com
    Voice: 480.592.3988
    Intranet: http://itg.honeywell.com/secarch

    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com