SIT703 - Data Forensics: Analyzing System Logs for Security Threats

Verified

Added on 2020/07/23

AI Summary

This assignment delves into a data forensics investigation, simulating a scenario where a user's laptop has been compromised. The tasks involve scanning the machine for rootkits, repairing corrupted Windows event logs, identifying unauthorized account creation, demonstrating password vulnerability, analyzing logon/logoff times of suspicious accounts, using LogParser to search for specific events, examining the Registry file for suspicious programs, and analyzing an intercepted NTLM authentication session. The assignment utilizes tools like OpenVAS, Ophcrack, and LogParser Studio to analyze system logs, crack passwords, and identify suspicious activities, ultimately aiming to build a forensic report for the police.

Task 1 (Scan your machine)
To ensure that Arif's machine is free of rootkit programs which may alter the
investigation results, he decides to run a thorough scan. Choose at least two
programs and provide the screenshots of the scanning results.
OpenVAS The Open Vulnerability Assessment System (OpenVAS) is a free
network security scanner platform, with most components licensed under the
GNU General Public License (GNU GPL). The main component is available via
several Linux packages or as a downloadable Virtual Appliance for
testing/evaluation purposes. Though the scanner itself doesn’t work on
Windows machines, they offer clients for Windows.
Retina CS Community provides vulnerability scanning and patching for
Microsoft and common third-party applications, such as Adobe and Firefox,
for up to 256 IPs free. Plus it supports vulnerabilities within mobile devices,
web applications, virtualized applications, servers, and private clouds. It
looks for network vulnerabilities, configuration issues, and missing patches.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Task 2 (Repairing Windows Logs)
Arif decompresses the _le \Desktop.zip" and _nds 4 Windows event log _les.
Describe the information stored in each log _le and repair those important
log _les so that they can be viewed in Windows EventViewer.
Windows event log is a record of a computer's alerts and notifications.
Microsoft defines an event as "any significant occurrence in the system or in
a program that requires users to be notified or an entry added to a log."
The Windows operating system classifies events by type. For example, an
information event describes the successful completion of a task, such as
installing an application. A warning event notifies the administrator of a
potential problem, such as low disk space. An error message describes a

significant problem that may result in a loss of functionality. A success audit
event indicates the completion of an audited security event, such as an end
user successfully logging on. A failure audit event describes an audited
security event that did not complete successfully, such as an end user
locking himself out by entering incorrect passwords.
Each event in a log entry contains the following information:
Date: The date the event occurred.
Time: The time the event occurred.
User: The user name of the user who was logged on when the event
occurred.
Computer: The name of the computer
Event ID: A Windows identification number that specifies the event type.
Source: The program or component that caused the event. of the event.
Type: The type of event (information, warning, error, security success audit
or security failure audit.)
Task 3 (Which account is created)
Having repaired the log _les, Arif examines one of them in order to identify
which account was created without Amy's consents. Which log _le and which
EventID number Arif should search? Provide a screenshot for the account-
creation event.
Arif should examine secutity event and application log id.

Task 4 (Where is Amy's password)
Having identi_ed the event that a new user was created on Amy's laptop, Arif
telephones Amy and asks whether she can provide more clues. Amy tells
that she has a personal password safe as an encrypted ZIP _le hidden on the
university network. The link to access the password safe is
http://www.deakin.edu.au/~zoidberg/SIT703/Login.php. But Amy is con_dent
that only she can access her account details because this password safe has
multiple security protection mechanisms. However, Arif wants to
demonstrate that Amy's belief may be too optimistic. Provide screenshots
and describe how Arif can easily access Amy's account information.
Arif can access Amy's account information through given link.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Task 5 (Amy's password)
Arif has extracted Amy's password safe, but he wants to demonstrate to Amy
that her Windows password can be easily cracked. So he calls Amy and Amy
bets that he cannot get her password. Being challenged and authorized, Arif
decides to crack Amy's Windows password used on her laptop. Work out
what the username and the password are on Amy's laptop.
The Ophcrack Windows password cracker is by far the best free Windows
password recovery tool available. It's fast and easy enough for a first time
Windows password cracker with a basic knowledge of Windows.
Task 6 (When did things go wrong?)
Amy now realizes that Windows provides a very weak protection and she
becomes concerned about the safety of her research data. Arif decides to
look through the log _les again in order to identify when the bogus account
logged on to Amy's laptop. Use two screenshots to indicate when the bogus
account was logged on and logged o_.

Task 7 (I know what you did)
Arif believes that he can _nd all important activities on Amy's system during
the session time identi_edin Which event recorded in the system log _le will
tell Arif about the actions performed by the bogus account? When did this
event terminate?
Check the log in an log off time in event viwer in security.
Task 8 (Using LogParser)
Arif recalls that some events with EnventID 11728 are closely related to the
installation of Windows programs. He decides to use the program LogParser
to search for the events with EventID 11728 in the log _les. List all the events
Arif will _nd by using LogParser. (screenshots are required.)
LogParser Studio is implementing several pre-built queries which is great to
start or to give ideas to go further and develop your own queries.

Task 9 (The valuable Registry)
Arif feels that things might be very serious, so he decides to go through the
Registry _le \Server.reg" in the \Desktop.zip" _le. What program(s) will Arif
classify as suspicious? Provide strong reasons.
Type regedit in the Search window, select regedit under Programs that is returned OR
type regedit in the Run line if it is available and click OK.
Task 10 (Before calling the police)
Arif and Amy feel that they must report to the police about their _ndings.
Before they write a formal complaint to the forensic team, Arif recalls that he
has intercepted an NTLM authentication session of user \helpdesk" and the
hash is
a83938d111b45823aad3b435b51404ee:e5986e48146ab6a5f677dda1b1766
351

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

# This is the charset definition file for RainbowCrack.
# Each charset is defined in one line, with the characters of the charset
enclosed by "[" and "]".
numeric = [0123456789]
alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
loweralpha = [abcdefghijklmnopqrstuvwxyz]
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]
mixalpha-numeric =
[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
# The charset "ascii-32-95" includes all 95 characters on standard US keyboard
ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]
ascii-32-65-123-4 = [ !"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~]
alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$
%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]