Login Signup
Verified Document

How To Approach A Server And Search For Malware Capstone Project

Related Topics:
Expert Witness Windows 7 Ip Address Microsoft Windows
Open Document Cite Document

XYZ Company Tasking

The plan for processing the potential crime/incident scene depends upon maintaining the integrity of the scene as well as the integrity of the data. That means the first step is to prevent the scene from contamination. Preparing for the search is an important step, therefore, in this process.

The team should have the legal authority to proceed with the seizure of evidence and this should be shown upon arrival. Likewise, the team should use safety equipment when arriving on the scene to ensure that nothing is jeopardized (U.S. Department of Justice, 2008).

To prepare for the search, the team will first document the condition and state of the scene. Before anything is moved, the team should photograph and record screen info of all the workstations involved. It is important to assess the current state of the system before any investigative work is begun. Computers should remain on if they have not yet been turned off, as this will allow for any connections established via illegal actions to remain open (they could be lost should computers be powered off). However, if software is being run on the computer that is damaging the computer/network, the device may be shut off promptly. Back-up servers should be in place to maintain the organization's workflow, in case the servers under scrutiny need to be disconnected for inspection. A continuity of operations plan should be in place and ready to be implemented before the team begins collecting data.

The team will identify potential digital evidence by understanding that digital evidence contains fingerprints, so to speak -- DNA-types of information that are left behind whenever a process is changed. However, evidenced can be easily lost or changed without anyone noticing; therefore, time is of the essence, and as soon as the team arrives it should seek to corral Internet-based evidence, computer-based evidence, and mobile device evidence if at all discerned to be applicable from the accounts of what happened according to participants (National Forensic Science Technology Center, 2015a).

Once data is collected it needs to remain free from contamination. Digital evidence can be lost or damaged in the process of recovery or transference; therefore, it is essential that a copy/image of the data is produced for back-up. This means that the device(s) in question need to be copied onto a separate medium that is clean (i.e., that has not been used before). It is important that the backup medium be free of all data because any information that may be on the medium could potentially end up being examined by the investigation team. Thus, even if a drive has been erased, it should not be used as a backup because unless it has been wiped, content may still exist on the drive and interfere with the investigation.

All digital evidence should be labeled and identified with information regarding where it came from, its purpose in the facility, its precise location when found, and why it was collected. This evidence should then be packaged and shipped in a manner that is secure. Secure transfer should include signing out and signing in packages and ensuring that all data is transferred and monitored via checkpoint processes when delivering and taking delivery.

To ensure that proper storage and chain of evidence is conducted, logs will be kept and maintained of all individuals taking and handing over custody of evidence, from the crime scene investigators to team members in the laboratory where the evidence will be scrutinized. Without a proper chain of evidence, data can be lost; or it could be altered -- and if there is no indication of who handled the evidence last, it becomes an issue of accountability and responsibility.

Approaching the Computer

The next step is to install onto the suspect device(s) software that blocks any changing (i.e., write-blocking software) (National Forensic Science Technology Center, 2015). The potential malware that may exist on the system has the capacity to harm the system further so it is important to destabilize it and/or contain it. A software application could be installed and run in the computer's safe mode to search for malware if the computer has been turned off. This will ensure that the malware is not re-activated when the computer is turned on, as safe mode allows the computer to only run basic operations. Malwarebytes is one such application that can be utilized in this situation to search, scan and detect malware...

Likewise, an Internet Relay Chat (IRC) can be utilized to allow the malware attack to remain disguised from the user. It can quickly escalate into a full-blown attack, which can completely disrupt an organization's IS.
The steps to image the drive will involve using a program like DriveImage XML, which allows the team to duplicate the drive and store it on a separate medium. Windows XP does not have the same image drive option as Windows 7 and thus this software will need to be used. Other alternatives include Norton Ghost or HDClone. It requires installing a new drive, setting the source drive, identifying the destination drive.

The areas on her system that will be analyzed for potential evidence of infection and/or modification will be those particularly susceptible to attack. Malware essentially creates holes in the program which need to be patched so it is important to identify these holes and the location where the malware is stored.

Entering into safe mode by tapping the F8 key repeatedly upon turning on the computer will ensure that the malware is not activated. The computer will allow you to enter into safe mode as an option for booting. Safe mode does not appear the same as normal computer mode but this is because it is not operating in the fullest sense of the word. A virus scan should then be run but this step can be made more quickly if temporary files are deleted first. A disk cleanup is therefore the next step in the process and this can be selected from the program system tools under Accessories.

Malware scanning software should then be utilized, and as malware is constantly being upgraded and made new, it is important that this software is current and updated. There are a variety of options that can be utilized here, such as Malwarebytes and Kaspersky.

Another process would be, since this is a Windows XP operating system on the computer, to go directly to the registry, click run and type regedit.exe. This will open the registry editor. By expanding HKEY_CURRENT_USER and then the Software file, the team can open the Windows OS and see which programs launch upon startup. Viruses can be identified by the "location of the application" which they are calling (Londis, 2007). If the location is the Application Data folder, the virus is able to re-launch every time a computer reboots -- so this is the place to look. The title given the virus by the programmer should also be identifiable. The place where the virus resides should also be noted. For example, if it is in the All Users Application Data folder, a right click on the registry key will allow the team to delete it. Of course, this simply deletes the call that allows the virus to be launched -- it has not deleted the virus. To ensure full safety, the file system should also be deleted. This can be done by going to the Application Data folder. An attempt to delete the file will likely not work because it is running in the computer's memory. What the team can do, however, is rename the file and rid the .exe portion of the name. You can put a .delete tag on it just so it is easier to find when you reboot the computer. Rebooting will not cause the file to launch because the call has already be deleted. A quick search for the file which the team has renamed will bring it up and now it can be right-clicked and deleted because it is not running in the computer's memory.

Approaching the Database Server

A Microsoft Windows 2003 Server running Microsoft SQL Server 2008 is a server that has already been upgraded and therefore the infrastructure should be able to implement a server backup. This is the path that will be chosen to image the server's database. It is vital to copy the records on the database as these are important to the organization. These files can be imaged view a cloud-computing software and stored in the cloud or they can be saved via the application of the Windows Server Backukp, which contains a MMC (Microsoft Management Console) with snap-in and command-line qualities that can allow the team to fully back up the server or just the records if that is all the organization deems as important. For full safety it is deemed best to back up the full server (TechNet, 2013).

The approach is direct: login through the Administrator. A separated, clean disk will…

Continue Reading...
Sources used in this document:
References

Jakobsson, M., Juels, A. (2010). Server-Side Detection of Malware Infection. NSPW.

Retrieved from http://nspw.org/papers/2009/nspw2009-jakobsson.pdf

LaChapelle, C. (2014). Disaster recovery options for smaller companies.

NetworkWorld. Retrieved from http://www.networkworld.com/article/2174112/tech-primers/disaster-recovery-options-for-smaller-companies.html
GPost. Retrieved from http://www.groovypost.com/howto/find-and-remove-most-common-viruses-from-pc/
Evidence. Retrieved from http://www.forensicsciencesimplified.org/digital/how.html
TechNet. (2013). Microsoft. Retrieved from https://technet.microsoft.com/en-
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Malware Since the Earliest Days
Words: 1957 Length: 6 Document Type: Term Paper

However, nothing can be done until the malware actually occurs. With all the different viruses, worms and Trojans, how can security managers possibly predict what malware will occur next? In contrast, a behavioral rule defines legitimate activity in a system. Any activity not matching the profile will cause the security product to be triggered. As rules are not specific to a particular type of attack, they can block malicious

Read More
Essay
Mobile Computing and Social Networks There Are
Words: 3227 Length: 10 Document Type: Term Paper

Mobile Computing and Social Networks There are many mobile apps in the market that have been designed to cater for various tasks and processes. Mobile apps were initially designed for gaming but improvements have been made to ensure that they can be used for business purposes. Applications have been designed to improve efficiency of mobile devices. Users have been able to make use of mobile phones to replace devices such as

Read More
Essay
Overarching Goal of This Study
Words: 18833 Length: 75 Document Type: Essay

Good researchers tend to pull methods out of a tool kit as they are needed" (2006, p. 54). Notwithstanding these criticisms and constraints, though, most social researchers seem to agree that classification by some type of research paradigm is a useful approach based on the need to determine which approach is best suited for a given research enterprise. In this regard, Corby concludes that, "The contested nature of research

Read More
Essay
Continuous Monitoring Plan
Words: 657 Length: 2 Document Type: Research Paper

Monitoring Plan Our organization is in the most advanced level: I will consider a wide variety of commercial and custom monitoring tools to handle the individual aspects of continuous monitoring. As the Chief Information Security Officer, I will purchase next generation firewalls, advanced intrusion prevention, security information management (SIM) and advanced log management systems to consolidate feeds into the alerting systems and monitoring dashboard (Fry & Martin, 2009). The SIM

Read More
Essay
Computer Fraud and Abuse Act
Words: 2541 Length: 7 Document Type: Term Paper

Computer Fraud and Abuse Act Information technology and related systems provide multiple benefits to business, government, and individual users. Databases, Internet transactions, and emails contain sensitive customers, employee and operations data that are extremely vulnerable. The following study focuses on various components of IT and related systems used for the storage of information like computers, servers, and website databases. Whilst identifying the ways the date can be compromised and exposed to

Read More
Essay
Computer Security We Have Achieved
Words: 1915 Length: 7 Document Type: Essay

This particular instance was significant as the attackers used a generic approach instead of a site specific or application specific exploitation by devising tools that used the web search engines to identify ASP applications that are vulnerable. SQL injection attack was used to propagate the malicious code that exploited zero day vulnerability in Microsoft Internet explorer last year. [Symantec, (2009 ) pg. (47)] the aim of the attackers employing

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now