Aura E Solutions Pvt Ltd

A typical incident investigation includes technical analysis of all affected systems to establish the true extent of the inflicted damage, attack methods, aims, instruments, exact timing and the most likely source. If technically possible, both identity and location of all attack perpetrators are determined. Thorough and measured collection, preservation and full formal description of digital evidence is performed to avoid breaking the chain of custody should the need to submit the evidence to the Court of Law arise. Incident recovery involves discovering and neutralising any backdoors and hidden communication channels left by attackers to preserve access to the affected systems and networks, fully fixing all the security flaws abused by malcontents to get in, restoring (as much as technically possible) the data lost as a result of the attack, and bringing back all negatively affected services and systems. With the exception of very large multinational corporations or governmental bodies that may have their own internal computer forensics and incident recovery teams, technical personnel of a company or organisation that suffered from a security incident is usually incapable of handling it properly. In particular, this applies to the full discovery and further treatment of digital evidence: even a single seemingly minor error can violate the chain of custody and make the collected evidence completely useless from a legal viewpoint.

1. "Talking to the crew" A software development company has reported suspicious activity on it's network which we were asked to investigate. The analysis of traffic has demonstrated that one of the Linux servers belonging to the company is used as a SPAM mail relay and a peer-to-peer file distribution node while hosting an unauthorised IRC service - everything being a sign of a successful break-in. Traffic dumps were prepared as evidence, and the server was later quarantined with images of it's hard drives and operational memory dumps taken and thoroughly analysed. The investigation has discovered both the vulnerable network service and the likely exploit used to gain unauthorised access. Chat and peer-to-peer file sharing services set up by the attackers, as well as alterations in the legitimate E-mail service running on the server were studied and documented as evidence for the Court of Law. However, the hackers did a very good job at erasing all logs beyond any reasonable restoration, and there was no centralised logging system implemented within the company. Even though the standard anti-rootkit utilities did not discover any backdoors, we could not believe that the hackers did not leave a well-planted rootkit in place. A lateral approach was needed to proceed any further with the investigation. All suspicious traffic captured by the company's system administrators and during the investigation prior to isolation of the server was extensively studied to establish any traces related to the attackers online credentials and whereabouts. All the pointers related to such traces were then investigated on the Internet, finally leading us to a "crew" of Romanian hackers as highly likely perpetrators of the break-in. A social engineering attack pretending to be a motivated novice seeking advice from more experienced "colleagues" was performed against the hacker group, and after a few days of talking eventually handled us all information needed to search for and neutralise the custom rootkit (which was then discovered on two more systems belonging to the company). In a meanwhile, all evidence was submitted to the authorities.
   
2. "Angry busybody" A multinational oil company has suffered from a confidential personal information disclosure and hired our consultants to establish the definite source of the leak. We have thoroughly investigated all Human Resources department servers and workstations storing such information looking for any potential signs of unauthorised access, as well as backdoor and keystroke logger installation. As a result the time, likely source and detailed nature of unauthorised access to personnel files were clearly established. The malcontent appeared to know valid administrative login credentials and did not use any exploits to gain access to the systems involved. He or she has connected remotely via the corporate VPN and copied the information on selected employees by opening the files and doing cut & paste into a separate document. Some of the documents accessed were password-protected and apparently broken into via a standard dictionary attack, as the passwords weren't strong enough. Later, some but not all of the personal data obtained by the attacker were selectively distributed from a free webmail account registered to a non-existing name. Our consultants worked closely with the internal investigation team to discover the true identity of the malcontent and eliminate all possibilities of some external hacker or physical impostor hijacking and abusing the resources used for unauthorised access. Eventually, it turned out that one of the company's remote branches system administrators is clearly guilty. As the documented evidence collected by our team was presented to him on a disciplinary hearing, the perpetrator confessed that he did it for reasons of personal dislike and revenge. He was summarily dismissed, however the company's management decided not to pursue the case in the Court of Law. As a side result of the investigation, the company has introduced stricter access policies and password guidelines together with technical configuration safeguards needed to reinforce them in practice. We have assisted their IT team in implementing these countermeasures, so that the probability of similar attacks in the future is strongly reduced.