Deakin University SIT703: Advanced Digital Forensics Assignment

Verified

Added on 2019/11/08

AI Summary

This document presents a comprehensive solution to an advanced digital forensics assignment. It begins by addressing rootkit detection and removal using tools like GMER and F-Secure Blacklight. The solution then analyzes Windows event logs (AppEvent.Evt, Internet.evt, SecEvent.Evt, SysEvent.Evt) to identify security events and user activities. Password cracking techniques using tools such as Ophcrack and free XP cracker are explored, along with methods to identify and analyze bogus user accounts, including the use of the "net user" command. The assignment also covers SQL injection vulnerabilities, registry analysis using RegScanner and MSConfig, and the application of RainbowCrack for password cracking. References to relevant resources are included, providing a detailed and practical approach to digital forensics investigation and analysis.

ADVANCED DIGITALFORENSIC

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SANS ,NSA , Saliman Manap got very good root kits.
F-Secure Blacklight is one of the root kit eliminator.
1

Malwarebytes Anti-Malware is another root kit scanner and remover.
GMER is a good rootkit scanner and remover
2

TDSSKiller
3

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Answer
Scanning is conducted using GMER application.
Explanation
Arif's machine is checked against the rootkit programs. The rootkit programs have the capacity
of altering the investigation results. For the purpose of checking if the machine is free of rootkit
programs, scan through the machine. Scanning is conducted for all the available programs and
checked for rootkits. To conduct the check, GMER is used. GMER is an application which is
designed to detect and remove the rootkits. GMER conducts scan on hidden processes, hidden
files, inline hooks, and hidden alternate data streams. First GMER application has to be installed
on the system that has to be checked against the rootkits. After installing GMER, scan has to be
conducted to through GMER and threats are highlighted in red color.
4

Windows event viewers are studied ("Collect and analyze Windows Event logs in OMS Log
Analytics", 2017)
Answer
AppEvent.Evt
AppEvent.Evt is a log file and it is expanded as the Application Event logs.Application events
are nothing but the report of the programs and their problems.
Internet.evt
Internet.evt is a log file and is expanded as the Internet Event Logs.
SecEvent.Evt
5

SecEvent.Evt is a log file that is expanded as Security Event Logs. These files are called the
audit files. They show the security action results. Results can be explained depending on the
event. Results can be either successful or not successful.
SysEvent.Evt
SysEvent.Evt is a log file that is expanded as the System Event Logs. These log displays error
alerts that are seen in the administrative events log dragged from the system. These types of
problems are mostly self-curable.
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Answer
A user account was created under the ID 4720.These details should be searched from the
Windows Security Log Event ID 624 and the Event ID 4722.
7

Answer
The URL starts with http protocol. Not HTTPS protocol. Hence web activates will be very
general. User names and passwords can be intercepted before reaching the webserver and
passwords can be stolen.
Web page is written in PHP. Hence MySQL will be the back end database for this given.
The passwords for a public database can get stored in a SQL.SQL injection is the technique that
can be used to track the passwords. SQL injection can be applied to the url
http://www.deakin.edu.au/~zoidberg/SIT703/Login.php. and hence passwords of multi level
security can also be tracked
Answer
Amy’s username can be found out from the events and the password is can be cracked by using
the cracking tools. Such as ophcrack ("How To Recover Passwords Using Ophcrack", 2017) and
manyother tools..
ophcrack is one of the open source program which can track the windows login
passwords by using the LM hashes through the rainbow tables. On most of the systems it crack
the password within few minutes interval. It comes with the GUI and it runs on the various
platforms. Rainbow tables for LM hashes are offered by the developers. It is basically limited
with the tables that can only permits to track the windows passwords, which is not more than 14
characters using the alphanumeric characters. The bootable USB drive, just boot from it and
ophcrack will dynamically execute and it shows the nice table with all the windows users and
their passwords if it is crack able. slitaz executes totally in RAM. It does not modify the any files
in the target system.
The free XP cracker can easily crack passwords. It can produce the result with 99.9%
successfully.it can crack the password based on the strength of the user passwords which is
9

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

configured by the user. If the password is within in 8 characters then it crack it easily. If the
password exceed more than 8 character then it need additional tables to crack the passwords.
Answer
From the given above task, the solution to identify the log in and log of the bogus account the
following procedurs can be done
 By using the command “Net user” the time of the last logged in user can be found. The
excat command is **net user **username** | findstr /B /C:"Last logon"**
10