Jofre wrote:
I'm looking at a case involving credit card fraud and while I find a lot of interesting artifacts (on the suspect's computer) from the actual online frauds I'm not sure if the files containing credit card details were downloaded or generated by the suspect himself through SQL injection attacks on websites.
I have found chat fragments, links and ebooks indicating the suspect is interested in the subject, and there are some applications installed related to it (Sqlmap, Havij), but I'm not sure if he has just played around with them or actually used them on a live target. Searching the web a bit I mostly find information on how to detect SQL injections on the target machines.
I would really appreciate ideas on how to find out if the computer was used to initiate SQL injections. Any useful search terms or patterns to run against the image?
This is not a new question...in fact, in some cases, it rears its head as, "how can I tell if a program was launched or executed?"
First off, what you find depends heavily on the OS you're looking at. If it's Windows, extend that to the version of Windows, as well. For example, I examined a system over the past year where a bad guy accessed the system and ran Havij. The system was Win2008R2, and we knew that the intruder had run the application based on the fact that there were output files from Havij on the system, indications that the bad guy had launched the program, as well as records in the Application Experience Event Log indicating that the application had been installed.
So, it you're examining a Windows system, here's where I would look:
- pagefile
- hibernation file (if any)
- crash dump logs
- AppCompatCache key in the System hive (always a good one...)
- Havij accesses the network so check the Tracing key in the Software hive; also, if the system is 64-bit, check the *other* Tracing key as well
- UserAssist and MUICache keys in the user profile (NTUSER.DAT, USRCLASS.DAT)
- Shellbags - if the user dumped output to a particular folder, opened that folder and then resized/repositioned it, you'll find indications of those actions there...
HTH
↧