Forensics
Jan 23, 2003
I have an internal database that is used for small internal applications. It is nothing critical, so security is not very tight on it, everyone logs in as sa.
Today a bunch of tables suddenly had zero record count. The person mainly responsible for the application had just been put on probation for lack of effort... Just enough tables were emptied to disable the application, but since the one main table was left untouched, everything can be rebuilt.
My question is, what traces should I be looking for to help me determine if this guy did it himself, so that he can look like a hero when he stays here all night to 'fix' it. I have the trasaction log. NT2000 system log and almost everything else. Any help would be great. I really do hope that he did not do it.
Thanks
Steve
View 1 Replies
Jan 15, 2008
Hi all, long time lurker, first time poster.
One of those fantastic mornings, an hour late, no coffee, walk through the door and the first words I hear are "we've been hacked!"
Ugh.
Turns out there is one and only one place on the website that isn't properly protected against sql injection attacks and somebody found it (now fixed). It doesn't look bad - a new table has been added, dbo.a_LyHungTraVinh_a with two empty columns [LyHungTraVinh VNC Hacked] and [Good Bye My Love]. I was somehow hoping my first hack would be more clever, so I'm also having to cope with mild disillusionment.
But I think I can get over that, what I'm really hoping for your help with is how to proceed with the forensics and clean-up. See, our DBA resigned a couple weeks ago and we're in the cute situation of not having one at this moment - I'm certainly not one. It looks like this is just a random act of harmless vandalism but I'd feel better if we did our full due diligence. Here's what we've done so far, any additional advice or links to resources would be greatly appreciated.
1. Identified and closed the vulnerability
2. Ran AdeptSQL_Diff and compared the production db with an archived version - other than the aforementioned new table, the schema and data is unchanged
3. ... that's it.
I suspect using DBCC LOG and/or fn_dblog would be helpful to review the attacker's transactions, but I'm having a devil of a time finding information on how to use those, particularly about what permissions I need to use them.
thanks!
View 5 Replies
View Related
Apr 22, 2008
Hello all,
I work in a computer forensics capacity and came across a Windows Mobile device that needs to be analyzed. I was able to copy out cemail.vol and pim.vol from the device and hope to extract a set of contacts / emails / text messages, etc in a nice way.
From what I understand, both of these files are in EDB formats and there are APIs that allow for accessing data in these two files. However, this needs to be done on a PC without affecting the mobile device in any way.
Is that possible?
I attempted to run the emulator that comes with the WM SDK, but am not able to rename cemail.vol and copy over my extracted file.
Any suggestions or thoughts for code / etc that can be used to analyze the above on the PC and not on the device itself?
Thanks in advance!
P.S. if this is not the correct forum to post this in, please let me know and perhaps point me in the right direction.
View 8 Replies
View Related