Part A: Preparing the la
Import the VM provided in blog.mysportclub.ex.ova into Virtual Box. This is a webserver for which you do not have the credentials, so you will need to use an ISO file for Kali Linux to boot from. You can download the Kali installer from https:
www.kali.org/get-kali/#kali-bare-metal.
1. In the VM settings, configure the optical drive to use the Kali Linux ISO file. Capture a screenshot.
2. Make sure the VM will boot first from the DVD. Capture a screenshot of the proper setting.
3. Boot the VM. In Kali’s booting menu, choose Advanced options → Rescue mode. Later, you are asked about the root filesystem. Choose “Do not use a root file system”. Then, “Execute a shell in in the installer environment”. You will need to mount the webserver’s disk partitions somewhere in the filesystem. Execute “fdisk -l /dev/sda” to see all partitions in the webserver’s disk. Capture a screenshot.
IMPORTANT NOTE: If you restart at some point, this and next steps must be repeated.
4. Execute “vgdisplay” to show all volume groups. Then, “lvdisplay” to show all logical volumes and what group they belong to. As you probably noticed, you cannot scroll the output, so it is more convenient to paginate the output with “lvdisplay | more”. Enumerate the 5 volumes you found (just write down the names, no screenshot).
5. Create a directory /mnt
log and mount the root volume there using the device file shown in “LV Path”. Then, show the content of the mount point, which should be the standard root directory. Capture a screenshot of the successful commands.
Tip: you need a mount command would be based on “mount -o ro DEVICE MOUNT_POINT”.
6. The webserver’s logs were stored originally in the standard directory /va
log. Therefore, to access them you need to mount the co
esponding logical volume in /mnt
log/var and access them using the new path /mnt
log/va
log. Capture a screenshot of the co
esponding mount and ls commands.
7. Execute “mount” without parameters and double check that both filesystems are mount as read-only. Why do we need to make sure? What would happen if forensic evidence is altered somehow?
Part B: Logs analysis
Based on the information in ENISA_Webserver_Analysis.pdf, provided with the lab, you need to analyze the webserver logs as part of your forensic investigation. The server with IP XXXXXXXXXX, which runs WordPress and hosts http:
log[.]mycompany[.]ex, was compromised on August 19th, 2016. Refer to the section 3.4.1 as a guideline, but you do not need to perform all tasks.
8. Move to /mnt
log/va
log/apache2 to find Apache’s logs. Execute “tail -5 access.log” to get identified with the fields found in every single entry. What
owser was used in the last log entry?
9. The first field is the IP address of the system that accessed the webserver. As you can see, the last entries show the server itself. To avoid them, use the parameter -v in grep. Show the last 3 lines that do not relate to the server itself, either by XXXXXXXXXXor ::1.
10. You can observe the IP address in these lines is XXXXXXXXXX, but there could be other IP addresses. Obtain them all using the command-line example in the PDF that combines cat, awk, sort and uniq.
11. Nonetheless, most connections are originated in this local IP address. Execute “grep ^ XXXXXXXXXXaccess.log | tail -5”. It seems the attacker uploaded a file c99.php somewhere in the WordPress document root. Usually WP’s document root is under /va
www/html. However, we are working with all mounted under /mnt
log. Therefore, the full path is /mnt
log/va
www/html. Move there, then to the wordpress directory. From this point on, you need to move to where the file c99.php is, as per the information you observed in the log. What is the full path of this file?
12. Move to the folder (you can press TAB to complete the directories’ names). Execute “head -20 c99.php”. What is suspicious?
13. What kind of file is it (other than a PHP script), used by attackers to gain persistence?
14. What are 3 ways of mitigating vulnerabilities in jQuery-File-Upload?
Forensic Analysis
www.enisa.europa.eu XXXXXXXXXXEuropean Union Agency For Network And Information Security
Forensic Analysis
Webserver analysis
Toolset, Document for students
1.0
DECEMBER 2016
http:
www.enisa.europa.eu
Forensic Analysis
1.0 | December 2016
02
About ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre of network and
information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in information
security. It assists EU member states in implementing relevant EU legislation and works to improve the
esilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing
expertise in EU member states by supporting the development of cross-border communities committed to
improving network and information security throughout the EU. More information about ENISA and its
work can be found at www.enisa.europa.eu.
Contact
For contacting the authors please use XXXXXXXXXX.
For media enquires about this paper, please use XXXXXXXXXX.
Legal notice
Notice must be taken that this publication represents the views and interpretations of ENISA, unless
stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA
odies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of charge. Neither
ENISA nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.
Copyright Notice
© European Union Agency for Network and Information Security (ENISA), 2016
Reproduction is authorised provided the source is acknowledged.
https:
www.enisa.europa.eu
mailto: XXXXXXXXXX
mailto: XXXXXXXXXX.
Forensic Analysis
1.0 | December 2016
03
Table of Contents
1. Introduction to the training 5
2. Case materials 6
Provided case materials virtual environment 6
Forensic Linux distribution 6
Using the .ova files 7
3. Exercise 10
PART 1: Exercise
iefing 10
PART 2: Forensic capture process 10
PART 3: Forensic capture 10
3.3.1 TASK 1: Handle the provided materials in a forensically sound way 10
PART 4: Examination 11
3.4.1 TASK 2: Examine blog.mycompany.ex 11
3.4.2 TASK 3: Examine blog.mysportclub.ex 13
3.4.3 TASK 4: Examine coloserver1337.myhosting.ex 14
PART 5: (Linux) Forensic analysis of evidence 15
3.5.1 TASK 5: Analyse the evidence 15
PART 6: Reporting and follow up actions 15
3.6.1 TASK 6: Advise on the course of action 15
PART 7: Exercise summary 15
Forensic Analysis
1.0 | December 2016
04
Main Objective Familiarize students with webserver and Linux forensic best practices.
Targeted Audience CSIRT Teams / Personnel handling digital forensic investigations
Total Duration 8 hours
PART 1 Exercise
iefing 1 hour
PART 2: Forensic capture process 0.5 hour
PART 3: Forensic capture (including task XXXXXXXXXXhour
PART 4: Examination (including task 2, 3, 4) 4 hour
PART 5: (Linux) Forensic analysis of evidence (including task 5) 1 hour
PART 6: Reporting and follow up actions (including task XXXXXXXXXXhour
PART 7: Exercise summary 0.5 hour
Frequency Once per person
Forensic Analysis
1.0 | December 2016
05
1. Introduction to the training
This training requires the students to perform a forensic analysis of three (web) servers, identified during
the first two exercises as taking part in a malicious campaign. This exercise can be done by itself or as part
of the whole digital forensics training.
Following the leads from day one and two, there is a suspicion that a web server had been compromised.
We are permitted to analyse three Virtual server images acquired from hosting companies: drive-by, exploit
kit (EK) landing page hosting malware and the drop zone.
While all three tasks sound similar and have a common base (system forensics with the same computer
forensic fundamentals), we will acquire different information during this exercise. All three systems contain
traces of malicious activity co
esponding to evidence found on workstations. These traces of malicious
activity suggest there were other victims and plenty of other traces making the analysis harder. The students
can also find traces of system compromise.
Forensic Analysis
1.0 | December 2016
06
2. Case materials
Provided case materials virtual environment
In addition to the training documents, students will need three Virtual Machine images and one memory
dump. The four files are provided as listed in the table below and are 3.2 GB in total.
Digital course materials needed
Filename MD5 Size
blog.mycompany.ex.ova 53ce9a84a45245982ec0f83e34a30d99 601 M
blog.mysportclub.ex.ova 607da2690bd2534f19b822ba577c67be 698 M
coloserver1337.myhosting.ex.ova 89
c0c890a50c4b0dfdc007cb8013f2 739 M
coloserver1337.myhosting.ex.mem.elf 2d8aa26385d9b0194131d3885ed9750f 1.1 G
Figure 1: Digital course materials needed
Forensic Linux distribution
As mentioned in the previous exercises, the student will use CAINE 7.0 to do the exercises. CAINE is a
ootable Linux image that offers a complete forensic environment with a graphical interface. Below are
the details and download location of the ENISA CAINE Virtual Machine and the download location of the
default CAINE ISO file.
ENISA CAINE 7.0 VM
In the 2 pervious exercises we used a CAINE 7.0 virtual machine prepared by ENISA. If you do this exercise
only the download information is below.
$ wget https:
s3-eu-west-
1.amazonaws.com/ec36e00dc3efcc0343dc3b5af90dba39/Caine.ova.7z
There is a password on the 7z file which is infected128. To login to the virtual machine you can use the
following account information: User: enisa, password: enisa.
CAINE 7.0 ISO
This exercise can also be done with a standard CAINE live DVD. The screenshots provided are based on the
standard CAINE 7.0 ISO unless mentioned.
$ wget http:
caine.mi
or.ga
.it/mi
ors/caine/caine7.0.iso
Forensic Analysis
1.0 | December 2016
07
MD5: 6609E10773B10D96EAE92C204B862BE3
Figure 2: CAINE 7.0 desktop (source: http:
www.caine-live.net/menu.jpg)
Using the .ova files
Open Virtualization Format (OVF) is an open standard for packaging and distributing virtual appliances or,
more generally, software to be run in virtual machines. The entire directory can be distributed as an OVA
package, which is a tar archive file with the OVF directory inside. An OVF package consists of several files
placed in one directory1.
In this example we do an import of the Caine.ova. If it is already there you can skip this step.
1 https:
en.wikipedia.org/wiki/Open_Virtualization_Format
http:
www.caine-live.net/menu.jpg
https:
en.wikipedia.org/wiki/Open_Virtualization_Format
Forensic Analysis
1.0 | December 2016
08
Figure 3: Import CAINE 7.0 step 1 in VirtualBox (source: screenshot by ENISA)
Figure 4: Import CAINE 7.0 step 2 in VirtualBox (source: screenshot by ENISA)
Forensic Analysis
1.0 | December 2016
09
Figure 5: Import CAINE 7.0 step 3 in VirtualBox (source: screenshot by ENISA)
Forensic Analysis
1.0 | December 2016
10
3. Exercise
PART 1: Exercise
iefing
Duration 1 hou
PART 2: Forensic capture process
Duration 0.5 hou
PART 3: Forensic capture
Duration 0.5 hour
3.3.1 TASK 1: Handle the provided materials in a forensically sound way
In TASK1 we will handle evidence files in a forensically sound way.
You will need:
The three Virtual Machine images (.ova files) and the memory dump provided with this module.
Starting point:
As an investigator you received three .ova files from