Forensic Examinations

M. J. Thompson Network Solutions Forensic experts previously conducted a forensic examination of a web server and a backend Stuctured Query Language (SQL) server within an Enterprise network. Both of the servers were compromised by an unauthorized intruder, who successfully utilized malicious SQL injection commands. Third party remote control software was subsequently installed on each of the servers, which privided the intruder with unfettered command and control.

M. J. Thompson Network Solutions Forensic experts previously conducted forensic examinations on five work stations within an Enterprise network, which were compromised by an unauthorized intruder. The unauthorized intruder initially compromised two privately owned web servers, which were subsequently utilized as platforms to compromise and exfiltrate data from the five work stations. The exploit was a very complex Trojan, which automatically downloaded and executed backdoors into memory on the first comrpomised work station. The intruder installed a key logger, which successfully captured the login credentials of legitimate users. The intruder utilized those credentials to initiate lateral connections to an additiional four work stations, via administrative shares.

M. J. Thompson Network Solutions Forensic experts previously conducted a forensic examination on one Suse Linux server within an Enterprise environment. The server was initially compromised with the Tornkit Version 8 root kit. This version of the root kit automatically installed and executed a Secure Shell (SSH) backdoor server into memory. Once the server was compromised, the unauthorized intruder executed a SSH scanner in conjunction with a password cracker on a class b subnet. The information, whcih contained Internet Protocol addresses and corresponding passwords, was subsequently emailed back to the unauthorized intruder. The above-denoted email was recovered from unallocated space on the server, which led to the identification of the individual, who compromised the above-denoted server.

M. J. Thompson Network Solutions Forensic experts previously conducted a forensic examination on one work station within an Enterprise environment. The unauthoized intruder utilzed two private web-hosting servers as platforms during the compromise. The examination of the work station revealed that a malicious Trojan had been initially utilized to compromise the computer. The intruder subsequently employed http tunneling techniques, and Secure Shell (SSH) forwarding commandsto exfiltrate data in an encrypted tunnel on port 443. During a subsequent examination of the two web-hosting servers, it was determined that Stuctured Query Language (SQL) injection commands were utilized to compromise the servers. The examination of the web-hosting servers revealed that the above-denoted compromise was not an isolated incident. A total of twenty-nine additional compromised computers were identified during the examination.

M. J. Thompson Network Solutions Forensic experts previously conducted a forensic examination on one file server within an Enterprise environment. The unauthorized intruder deployed a backdoor Trojan, which had complete command and control of the server. In addtion, the Trojan automatically scoured the server for various microsoft office documents, and placed those files withing an encrypted storage container, which was secreted within the system32 directory of the file system. The unathorized intuder subsequently exfiltrated the documents at his/her convenience.

M. J. Thompson Network Solutions Forensic experts previously conducted a forensic examination on five work stations with an Enterprise environment. A network administrator was was accused of accessing private correspondence between a superisor and subordinate employees. The forensic examinations substantiated the allegations.

M. J. Thompson Network Solutions Forensic experts previously conducted forensic examinations on ten work stations within an Enterprise network, which were compromised by an unauthorized intruder. The unauthorized intruder initially compromised the first work station by sending the user profile a specially crafted email, which contained a backdoor Trojan horse program. After the first workstation was compromised, the unuathorized intruder installed a keylogger, which captured Administrative login credentials. The intruder utilized those credentials to initiate automated lateral connections to an additiional thirty nine work stations, via administrative shares. M. J. Thompson Forensic experts conducted forensic examinations on a representative sample of those work stations, which verified that all of the lateral connections were successful. In addtion, the unauthorized intruder had installed addtional malicious programs on some of the work stations in question.