I'm sending you my assignmemt
Part A: Preparing the lab Import the VM provided in blog.mysportclub.ex.ova into Virtual Box. This is a webserver for which you do not have the credentials, so you will need to use an ISO file for Kali Linux to boot from. You can download the Kali installer from https://www.kali.org/get-kali/#kali-bare-metal. 1. In the VM settings, configure the optical drive to use the Kali Linux ISO file. Capture a screenshot. 2. Make sure the VM will boot first from the DVD. Capture a screenshot of the proper setting. 3. Boot the VM. In Kali’s booting menu, choose Advanced options → Rescue mode. Later, you are asked about the root filesystem. Choose “Do not use a root file system”. Then, “Execute a shell in in the installer environment”. You will need to mount the webserver’s disk partitions somewhere in the filesystem. Execute “fdisk -l /dev/sda” to see all partitions in the webserver’s disk. Capture a screenshot. IMPORTANT NOTE: If you restart at some point, this and next steps must be repeated. 4. Execute “vgdisplay” to show all volume groups. Then, “lvdisplay” to show all logical volumes and what group they belong to. As you probably noticed, you cannot scroll the output, so it is more convenient to paginate the output with “lvdisplay | more”. Enumerate the 5 volumes you found (just write down the names, no screenshot). 5. Create a directory /mnt/blog and mount the root volume there using the device file shown in “LV Path”. Then, show the content of the mount point, which should be the standard root directory. Capture a screenshot of the successful commands. Tip: you need a mount command would be based on “mount -o ro DEVICE MOUNT_POINT”. 6. The webserver’s logs were stored originally in the standard directory /var/log. Therefore, to access them you need to mount the corresponding logical volume in /mnt/blog/var and access them using the new path /mnt/blog/var/log. Capture a screenshot of the corresponding mount and ls commands. 7. Execute “mount” without parameters and double check that both filesystems are mount as read-only. Why do we need to make sure? What would happen if forensic evidence is altered somehow? Part B: Logs analysis Based on the information in ENISA_Webserver_Analysis.pdf, provided with the lab, you need to analyze the webserver logs as part of your forensic investigation. The server with IP 195.251.97.97, which runs WordPress and hosts http://blog[.]mycompany[.]ex, was compromised on August 19th, 2016. Refer to the section 3.4.1 as a guideline, but you do not need to perform all tasks. 8. Move to /mnt/blog/var/log/apache2 to find Apache’s logs. Execute “tail -5 access.log” to get identified with the fields found in every single entry. What browser was used in the last log entry? 9. The first field is the IP address of the system that accessed the webserver. As you can see, the last entries show the server itself. To avoid them, use the parameter -v in grep. Show the last 3 lines that do not relate to the server itself, either by 195.251.97.97 or ::1. 10. You can observe the IP address in these lines is 10.0.0.15, but there could be other IP addresses. Obtain them all using the command-line example in the PDF that combines cat, awk, sort and uniq. 11. Nonetheless, most connections are originated in this local IP address. Execute “grep ^10.0.0.15 access.log | tail -5”. It seems the attacker uploaded a file c99.php somewhere in the WordPress document root. Usually WP’s document root is under /var/www/html. However, we are working with all mounted under /mnt/blog. Therefore, the full path is /mnt/blog/var/www/html. Move there, then to the wordpress directory. From this point on, you need to move to where the file c99.php is, as per the information you observed in the log. What is the full path of this file? 12. Move to the folder (you can press TAB to complete the directories’ names). Execute “head -20 c99.php”. What is suspicious? 13. What kind of file is it (other than a PHP script), used by attackers to gain persistence? 14. What are 3 ways of mitigating vulnerabilities in jQuery-File-Upload? Forensic Analysis www.enisa.europa.eu European Union Agency For Network And Information Security Forensic Analysis Webserver analysis Toolset, Document for students 1.0 DECEMBER 2016 http://www.enisa.europa.eu/ Forensic Analysis 1.0 | December 2016 02 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For contacting the authors please use
[email protected]. For media enquires about this paper, please use
[email protected]. Legal notice Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2016 Reproduction is authorised provided the source is acknowledged. https://www.enisa.europa.eu/ mailto:
[email protected] mailto:
[email protected]. Forensic Analysis 1.0 | December 2016 03 Table of Contents 1. Introduction to the training 5 2. Case materials 6 Provided case materials virtual environment 6 Forensic Linux distribution 6 Using the .ova files 7 3. Exercise 10 PART 1: Exercise briefing 10 PART 2: Forensic capture process 10 PART 3: Forensic capture 10 3.3.1 TASK 1: Handle the provided materials in a forensically sound way 10 PART 4: Examination 11 3.4.1 TASK 2: Examine blog.mycompany.ex 11 3.4.2 TASK 3: Examine blog.mysportclub.ex 13 3.4.3 TASK 4: Examine coloserver1337.myhosting.ex 14 PART 5: (Linux) Forensic analysis of evidence 15 3.5.1 TASK 5: Analyse the evidence 15 PART 6: Reporting and follow up actions 15 3.6.1 TASK 6: Advise on the course of action 15 PART 7: Exercise summary 15 Forensic Analysis 1.0 | December 2016 04 Main Objective Familiarize students with webserver and Linux forensic best practices. Targeted Audience CSIRT Teams / Personnel handling digital forensic investigations Total Duration 8 hours PART 1 Exercise briefing 1 hour PART 2: Forensic capture process 0.5 hour PART 3: Forensic capture (including task 1) 0.5 hour PART 4: Examination (including task 2, 3, 4) 4 hour PART 5: (Linux) Forensic analysis of evidence (including task 5) 1 hour PART 6: Reporting and follow up actions (including task 6) 0.5 hour PART 7: Exercise summary 0.5 hour Frequency Once per person Forensic Analysis 1.0 | December 2016 05 1. Introduction to the training This training requires the students to perform a forensic analysis of three (web) servers, identified during the first two exercises as taking part in a malicious campaign. This exercise can be done by itself or as part of the whole digital forensics training. Following the leads from day one and two, there is a suspicion that a web server had been compromised. We are permitted to analyse three Virtual server images acquired from hosting companies: drive-by, exploit kit (EK) landing page hosting malware and the drop zone. While all three tasks sound similar and have a common base (system forensics with the same computer forensic fundamentals), we will acquire different information during this exercise. All three systems contain traces of malicious activity corresponding to evidence found on workstations. These traces of malicious activity suggest there were other victims and plenty of other traces making the analysis harder. The students can also find traces of system compromise. Forensic Analysis 1.0 | December 2016 06 2. Case materials Provided case materials virtual environment In addition to the training documents, students will need three Virtual Machine images and one memory dump. The four files are provided as listed in the table below and are 3.2 GB in total. Digital course materials needed Filename MD5 Size blog.mycompany.ex.ova 53ce9a84a45245982ec0f83e34a30d99 601 M blog.mysportclub.ex.ova 607da2690bd2534f19b822ba577c67be 698 M coloserver1337.myhosting.ex.ova 89bbc0c890a50c4b0dfdc007cb8013f2 739 M coloserver1337.myhosting.ex.mem.elf 2d8aa26385d9b0194131d3885ed9750f 1.1 G Figure 1: Digital course materials needed Forensic Linux distribution As mentioned in the previous exercises, the student will use CAINE 7.0 to do the exercises. CAINE is a bootable Linux image that offers a complete forensic environment with a graphical interface. Below are the details and download location of the ENISA CAINE Virtual Machine and the download location of the default CAINE ISO file. ENISA CAINE 7.0 VM In the 2 pervious exercises we used a CAINE 7.0 virtual machine prepared by ENISA. If you do this exercise only the download information is below. $ wget https://s3-eu-west- 1.amazonaws.com/ec36e00dc3efcc0343dc3b5af90dba39/Caine.ova.7z There is a password on the 7z file which is infected128. To login to the virtual machine you can use the following account information: User: enisa, password: enisa. CAINE 7.0 ISO This exercise can also be done with a standard CAINE live DVD. The screenshots provided are based on the standard CAINE 7.0 ISO unless mentioned. $ wget http://caine.mirror.garr.it/mirrors/caine/caine7.0.iso Forensic Analysis 1.0 | December 2016 07 MD5: 6609E10773B10D96EAE92C204B862BE3 Figure 2: CAINE 7.0 desktop (source: http://www.caine-live.net/menu.jpg) Using the .ova files Open Virtualization Format (OVF) is an open standard for packaging and distributing virtual appliances or, more generally, software to be run in virtual machines. The entire directory can be distributed as an OVA package, which is a tar archive file with the OVF directory inside. An OVF package consists of several files placed in one directory1. In this example we do an import of the Caine.ova. If it is already there you can skip this step. 1 https://en.wikipedia.org/wiki/Open_Virtualization_Format http://www.caine-live.net/menu.jpg https://en.wikipedia.org/wiki/Open_Virtualization_Format Forensic Analysis 1.0 | December 2016 08 Figure 3: Import CAINE 7.0 step 1 in VirtualBox (source: screenshot by ENISA) Figure 4: Import CAINE 7.0 step 2 in VirtualBox (source: screenshot by ENISA) Forensic Analysis 1.0 | December 2016 09 Figure 5: Import CAINE 7.0 step 3 in VirtualBox (source: screenshot by ENISA) Forensic Analysis 1.0 | December 2016 10 3. Exercise PART 1: Exercise briefing Duration 1 hour PART 2: Forensic capture process Duration 0.5 hour PART 3: Forensic capture Duration 0.5 hour 3.3.1 TASK 1: Handle the provided materials in a forensically sound way In TASK1 we will handle evidence files in a forensically sound way. You will need: The three Virtual Machine images (.ova files) and the memory dump provided with this module. Starting point: As an investigator you received three .ova files from