How to Approach a Server and Search for Malware

XYZ Company

Tasking

The plan for processing the potential crime/incident scene depends upon maintaining the integrity of the scene as well as the integrity of the data. That means the first step is to prevent the scene from contamination. Preparing for the search is an important step, therefore, in this process.

The team should have the legal authority to proceed with the seizure of evidence and this should be shown upon arrival. Likewise, the team should use safety equipment when arriving on the scene to ensure that nothing is jeopardized (U.S. Department of Justice, 2008).

To prepare for the search, the team will first document the condition and state of the scene. Before anything is moved, the team should photograph and record screen info of all the workstations involved. It is important to assess the current state of the system before any investigative work is begun. Computers should remain on if they have not yet been turned off, as this will allow for any connections established via illegal actions to remain open (they could be lost should computers be powered off). However, if software is being run on the computer that is damaging the computer/network, the device may be shut off promptly. Back-up servers should be in place to maintain the organization's workflow, in case the servers under scrutiny need to be disconnected for inspection. A continuity of operations plan should be in place and ready to be implemented before the team begins collecting data.

The team will identify potential digital evidence by understanding that digital evidence contains fingerprints, so to speak -- DNA-types of information that are left behind whenever a process is changed. However, evidenced can be easily lost or changed without anyone noticing; therefore, time is of the essence, and as soon as the team arrives it should seek to corral Internet-based evidence, computer-based evidence, and mobile device evidence if at all discerned to be applicable from the accounts of what happened according to participants (National Forensic Science Technology Center, 2015a).

Once data is collected it needs to remain free from contamination. Digital evidence can be lost or damaged in the process of recovery or transference; therefore, it is essential that a copy/image of the data is produced for back-up. This means that the device(s) in question need to be copied onto a separate medium that is clean (i.e., that has not been used before). It is important that the backup medium be free of all data because any information that may be on the medium could potentially end up being examined by the investigation team. Thus, even if a drive has been erased, it should not be used as a backup because unless it has been wiped, content may still exist on the drive and interfere with the investigation.

All digital evidence should be labeled and identified with information regarding where it came from, its purpose in the facility, its precise location when found, and why it was collected. This evidence should then be packaged and shipped in a manner that is secure. Secure transfer should include signing out and signing in packages and ensuring that all data is transferred and monitored via checkpoint processes when delivering and taking delivery.

To ensure that proper storage and chain of evidence is conducted, logs will be kept and maintained of all individuals taking and handing over custody of evidence, from the crime scene investigators to team members in the laboratory where the evidence will be scrutinized. Without a proper chain of evidence, data can be lost; or it could be altered -- and if there is no indication of who handled the evidence last, it becomes an issue of accountability and responsibility.

Approaching the Computer

The next step is to install onto the suspect device(s) software that blocks any changing (i.e., write-blocking software) (National Forensic Science Technology Center, 2015). The potential malware that may exist on the system has the capacity to harm the system further so it is important to destabilize it and/or contain it. A software application could be installed and run in the computer's safe mode to search for malware if the computer has been turned off. This will ensure that the malware is not re-activated when the computer is turned on, as safe mode allows the computer to only run basic operations. Malwarebytes is one such application that can be utilized in this situation to search, scan and detect malware on the computer.

Since malware can implement a stand-off with the operator and can be launched autonomously via whatever access points were used in the hack (Vacca, 2009). Likewise, an Internet Relay Chat (IRC) can be utilized to allow the malware attack to remain disguised from the user. It can quickly escalate into a full-blown attack, which can completely disrupt an organization's IS.

The steps to image the drive will involve using a program like DriveImage XML, which allows the team to duplicate the drive and store it on a separate medium. Windows XP does not have the same image drive option as Windows 7 and thus this software will need to be used. Other alternatives include Norton Ghost or HDClone. It requires installing a new drive, setting the source drive, identifying the destination drive.

The areas on her system that will be analyzed for potential evidence of infection and/or modification will be those particularly susceptible to attack. Malware essentially creates holes in the program which need to be patched so it is important to identify these holes and the location where the malware is stored.

Entering into safe mode by tapping the F8 key repeatedly upon turning on the computer will ensure that the malware is not activated. The computer will allow you to enter into safe mode as an option for booting. Safe mode does not appear the same as normal computer mode but this is because it is not operating in the fullest sense of the word. A virus scan should then be run but this step can be made more quickly if temporary files are deleted first. A disk cleanup is therefore the next step in the process and this can be selected from the program system tools under Accessories.

Malware scanning software should then be utilized, and as malware is constantly being upgraded and made new, it is important that this software is current and updated. There are a variety of options that can be utilized here, such as Malwarebytes and Kaspersky.

Another process would be, since this is a Windows XP operating system on the computer, to go directly to the registry, click run and type regedit.exe. This will open the registry editor. By expanding HKEY_CURRENT_USER and then the Software file, the team can open the Windows OS and see which programs launch upon startup. Viruses can be identified by the "location of the application" which they are calling (Londis, 2007). If the location is the Application Data folder, the virus is able to re-launch every time a computer reboots -- so this is the place to look. The title given the virus by the programmer should also be identifiable. The place where the virus resides should also be noted. For example, if it is in the All Users Application Data folder, a right click on the registry key will allow the team to delete it. Of course, this simply deletes the call that allows the virus to be launched -- it has not deleted the virus. To ensure full safety, the file system should also be deleted. This can be done by going to the Application Data folder. An attempt to delete the file will likely not work because it is running in the computer's memory. What the team can do, however, is rename the file and rid the .exe portion of the name. You can put a .delete tag on it just so it is easier to find when you reboot the computer. Rebooting will not cause the file to launch because the call has already be deleted. A quick search for the file which the team has renamed will bring it up and now it can be right-clicked and deleted because it is not running in the computer's memory.

Approaching the Database Server

A Microsoft Windows 2003 Server running Microsoft SQL Server 2008 is a server that has already been upgraded and therefore the infrastructure should be able to implement a server backup. This is the path that will be chosen to image the server's database. It is vital to copy the records on the database as these are important to the organization. These files can be imaged view a cloud-computing software and stored in the cloud or they can be saved via the application of the Windows Server Backukp, which contains a MMC (Microsoft Management Console) with snap-in and command-line qualities that can allow the team to fully back up the server or just the records if that is all the organization deems as important. For full safety it is deemed best to back up the full server (TechNet, 2013).

The approach is direct: login through the Administrator. A separated, clean disk will be needed for the backup. NTFS-formatted volumes will need to be identified for back up. Tape storage backup should be replaced by other media. If the backup is not installed, it can be installed and utilized by going through the server manager, pulling down features, and adding to features. By selecting the Windows server backup features and the backup and command-line tools the process can be begun (TechNet, 2013). Prior to this, a recovery manager should be overseeing the process to ensure that the steps are followed accordingly. Likewise, the team should have specified the method of storing the backup, whether it is using cloud services technology, virtualization, or electronic-based vaulting systems (LaChapell, 2014). Virtualization is a method that can be incorporated into this process, as it allows a duplicate server to be produced and stored.

An appropriate clone software application can assist in this process. Options include kits by EaseUS Todo Backup Server; it allows the team to copy the server's hard drive quickly and efficiently. It can be engaged by launching it and clicking on the clone button and selecting the source for copying. The sector/destination is then selected.

The areas on the server that can be analyzed for infection are essentially the same in this case as for the computer. As Jakobsson and Juels (2010) note, "a given machine is exposed to a series of events. An event corresponds to any invocation or installation of software, and can be characterized by the code of the calling program, the location from which it was obtained, and the history of user actions leading up to the event" (p. 4). In other words, the server should contain a log of events that can be analyzed -- this is the digital evidence. Both whitelisting and blacklisting can be utilized in order to identify a list of executables or a list of "suspect events" that can be clearly pinpointed so as to understand what has happened in the server (Jakobsson, Juels, 2010, p. 5).

Locations that should be flagged are installed executables, browse URLs and IP addresses (typical sources for attacks), and opened attachments. In this case, an attachment was opened and it was this attachment that the HR administrator noted as being odd because there was nothing in it and thereafter her computer began to act as though something were wrong. This attachment should be located and its source discovered. It should also be searched for what this attachment was part of, whether a hacking device or an instrument to mine data and information from the administrator's computer. Information about employees, private information, such as SSNs or other data like that should be assessed to see if any access was given that was not approved by the HR administrator. There should be a trail of evidence linking the opening of the attachment to any such activity and this can be discovered by searching the server's history and executables that were installed.

Likewise a file hash may be instrumental in whitelisting so as to better identify any dangerous executables. But a fingerprinting technique could also be applicable in this case, though the nature of malware and its ability to morph could make this approach unnecessary.

A final audit should be conducted of the server to ensure that no firewalls have been breached, that worms have been contaminated, that malware has been eliminated, viruses flushed out, and that security is effective.

Witness Preparation

Preparing the team to be expert witnesses or to support any expert testimony that a court might require is important for this task. It depends upon verifying every finding and supporting every step in the process with documentation. This not only helps the team to know which steps have been conducted, it also helps for the time when the team's actions need to be recalled for a court proceeding, if it turns out that a hack was conducted and the hackers identified and prosecuted. It is important that the team be able to trace the history of its findings, how it located an IP address, for instance, indicating where the attack originated, what the attack did, how it happened (by visiting a web site, for example, or connecting a mobile device to an unsecured network). In short, the team needs to be able to accurately and adequately divulge every single step it took to bringing this information to light.

First, the team should be prepared ahead of time -- before any examination of the computer, crime scene or server is even attempted. The team should understand the potential impact of the investigation and importance of being able to document the course of the attack. It is just like investigating a murder scene; there has to be an understanding of what happened, when, how, and why. This can all be discerned by investigating the computer, the server, the network, the effects, what type of attack it was, how long it lasted, what it did, whether it stole information, etc. Assessing this information and describing it as it is uncovered with time stamps and signature codes given is a vital part of the process. The team should appreciate that when it comes to the law and the time to prosecute, it stands as a serious witness of what happened, because it is at the crime scene first, seeing the damage, putting the pieces together and basically acting like the detective on hand.

Thus it is imperative that the team record everything it does, all its actions and its outcomes. If an activity to investigate a particular sphere yields nothing significant, this should be noted in the log so that at least it is clear that this sphere was investigated. It should also be stated who did the investigation, in case that becomes necessary and it needs to be known who did what process on the team. Accountability and transparency are vital elements in any investigation.

When it comes to testifying in the court room, the team should be advised to answer every question honestly and accurately and that if something is being the recall abilities of the team member then it is best to answer so. Support should be verifiable and on record; it should not be geared towards providing a foundation for whatever the prosecution seeks to make it (avoiding sensationalism for the sake of it is part of proper accountability). The team should be made aware that the best way to answer questions is to provide an outline/timeline of what it did, when it did it, how it did it, and what it found. There does not need to be any interpretation made; that is up to the prosecution. All that needs to be assessed are the facts: what happened, how, when and where. Why may be discernible through an investigation into the facts and what the outcome was, but the team should not be under any compulsion to express an opinion on motive as that is not its purpose.

Its purpose is to investigate, confirm and verify. This is a scheme that should be documented accordingly so that when the time comes, verification can be made available and produced in a court of law. These records should be maintained for up to the statue of limitations on crimes committed of this nature or for a matter of course for a period of up to a specific number of years for all investigations into incidences. These files can be digitized and reproduced in hard copy.