Remote Access Scena...
 
Notifications
Clear all

Remote Access Scenario (examination)

14 Posts
6 Users
0 Likes
716 Views
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
Topic starter
 

Hello all, looking for some input here..have an XP box, IT individual fired from company, company believes they remoted in at a specific time to delete and alter files within the computer. For instance they believe the computer was breached on a specific day in april at a certain time. Extracting the event log 8 minutes after the company believed someone accessed the computer remotely there is one event in security log stating the event log was cleared by "user A" user A has not worked at the company for many months and the IT individual knew what user A password was, etc. Additionally within the registry NTUSER of User A prior to the clearing of the event log there is an entry in the search assist for *.evt. Utilizing regripper, it shows the auditing is not enabled. My thinking was is fired IT personnel remotely accessed computer under the User A access, once inside then cleared the security evt log this would take away the log entry for them accessing the system, and then furthermore changed the auditing policy to not log logon/logoff events. Is there an area to see the last modified time as to when the auditing policy was last changed? Any other suggestions possibly locating deleted security evt logs? Thanks everyone

 
Posted : 20/05/2010 10:36 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

You check in the restore points - if the service was activated?

Search for event log file signatures?

Also dig into Chris Pouge's blog on timeline analysis - multiple parts
http//thedigitalstandard.blogspot.com/2010/03/creating-timeline-of-live-windows.html

 
Posted : 21/05/2010 1:46 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

In a remote access scenario, you need to look beyond the box. There should be digital evidence in other areas. What are the possible means to do remote access that are (were) available at the time? VPN, dial up, etc.

1. There should be VPN logs (I hope) with remote addresses. Search the logs for the time when the incident happen.
2. Find remote IP addresses that point to user A. Identify the ISP
3. Search the logs to identify the suspect's user account logins, and compare his/her IP addreses to A's IP addresses. If in close proximity, you most likely have a match. It is likely that those VPN logs may have also been cleared. If you are lucky and remote access logs are intact, consider a legal request for logs/information from the ISP.
4. Answer questions such as, who else would know the password to the user A account?

 
Posted : 21/05/2010 1:48 am
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
Topic starter
 

Searching for previous evt log files as we speak, the thing with the logs is.. that the network is managed by an outside vendor that is not being cooperative and their loyalty seems to be with the IT individual, a court order or subpoena may be necessary. I will update asap regarding the restore points and the results of previous event logs.

 
Posted : 21/05/2010 2:16 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

If there is a written agreement with the network vendor, you can push them by mentioning breach of contract. If no agreement, any official document they used to provide services to you may have right and obligation requirements.

 
Posted : 21/05/2010 2:25 am
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
Topic starter
 

I agree, and that is the next step. No luck with previous .evt files. When checking out the security auditing from the restore points I extract the security file for what appears to be about 3 months before and when I use regripper against it, it is showing the last write time as a date in april, when the creation of the restore point was in February? Thanks for the responses

 
Posted : 21/05/2010 5:36 pm
(@mindsmith)
Posts: 174
Estimable Member
 

@pronie2121,I agree with CFEx, you need to look at multiple possible source of evidence, the evt and even use of the username User-A may be insufficient in itself - as are you sure that no one else knew User-A password within IT, and that the box had not been previously infected by an malware of RAT tool? In such cases looking for corroborating evidence from Firewalls (look at connecting IP), VPN and even the proxy - as it is possible that the suspect did not connect inbound to the system, but rather once the backdoor had been installed that the computer in question made an outbound connection to a system that the attacker could then use to gain remote access. There will be other evidence such as the remote access/admin tool, its configuration settings, and even in some cases its logs to assist you. Also if the computer was part of a domain you still have the AD security event logs that may assist with some info, and also the local Windows/desktop Firewall, etc.

Lots to go one, do they intend to prosecute the suspect?

 
Posted : 21/05/2010 5:46 pm
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
Topic starter
 

Not sure what they are intending to do as of yet, there are no logs that were available from the local windows firewall. As of right now this is the only computer we have access to. I have scanned the computer with various different AV and malware utilities all returning 0 infected files. Thinking about drafting up a letter to the network management company as per CFEx's input regarding the logs and as it was put a breach of contract. I will keep plugging away today, and thank you all for the input thus far.

 
Posted : 21/05/2010 6:17 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Hello all, looking for some input here..have an XP box, IT individual fired from company, company believes they remoted in at a specific time to delete and alter files within the computer. For instance they believe the computer was breached on a specific day in april at a certain time. Extracting the event log 8 minutes after the company believed someone accessed the computer remotely there is one event in security log stating the event log was cleared by "user A" user A has not worked at the company for many months and the IT individual knew what user A password was, etc. Additionally within the registry NTUSER of User A prior to the clearing of the event log there is an entry in the search assist for *.evt. Utilizing regripper, it shows the auditing is not enabled. My thinking was is fired IT personnel remotely accessed computer under the User A access, once inside then cleared the security evt log this would take away the log entry for them accessing the system, and then furthermore changed the auditing policy to not log logon/logoff events. Is there an area to see the last modified time as to when the auditing policy was last changed? Any other suggestions possibly locating deleted security evt logs?

Unfortunately, your request doesn't make sense.

First off, you used RegRipper on the Security hive file…the LastWrite time of the key will tell you when the audit policy was last changed.

Second, if auditing was not enabled, you're not going to see much in the Security Event Log.

Third, you apparently found that the User A user account was used to search for "*.evt"; this tells us that the User A account was accessed interactively, perhaps through something like a local login or a Terminal Services login…something where the shell was accessed. As such, look in the UserAssist key to see what the individual was doing on the system. Also, look at the RunMRU key, TypedURLs, etc.

Ultimately, what are your goals? What are you trying to determine or show?

 
Posted : 21/05/2010 6:45 pm
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
Topic starter
 

"First off, you used RegRipper on the Security hive file…the LastWrite time of the key will tell you when the audit policy was last changed."

- Agreed - Auditing is NOT enabled - Last Write Time April 26 091831

"Second, if auditing was not enabled, you're not going to see much in the Security Event Log."

Agreed and understand

"Third, you apparently found that the User A user account was used to search for "*.evt"; this tells us that the User A account was accessed interactively, perhaps through something like a local login or a Terminal Services login…something where the shell was accessed. As such, look in the UserAssist key to see what the individual was doing on the system. Also, look at the RunMRU key, TypedURLs, etc."

Since the security auditing is not enabled that would not let me see the logon time or type for User A when the *.evt was searched. An attempt to search for deleted evt logs did not return anything related to secevent.evt log. RunMRU shows (2) entries for 1) cmd\1 and 2) msconfig\1. Typed URL's all appear to be normal web surfing and the user assist key appears to be normal activity at the time different office files, google desktop, windows media player.

Ultimately the client believed that the computer was accessed remotely via normal means of a remote desktop login my goal was to either prove or disprove that was the case.

 
Posted : 21/05/2010 10:15 pm
Page 1 / 2
Share: