Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Adliah
New Today: 0
New Yesterday: 0
Overall: 29360

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Swtor2credits Surper sale II for Thanksgiving:up to 10% off
 Senior Cyber Forensic Incident Response Consultant -Cambs UK
 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce

Computer Forensics World Forums


Pages Served
We received
51302142
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Packet Capture Analyzer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Packet Capture Analyzer

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools
View previous topic :: View next topic  
Author Message
GrepMan
Newbie
Newbie


Joined: Apr 07, 2013
Posts: 1

PostPosted: Mon Apr 08, 2013 6:55 am    Post subject: Packet Capture Analyzer Reply with quote

Hey Everyone. I have a team working on analyzing a packet capture file for a practice case we've been given by our club.

We have 2 .PCAP files. We have to figure out whether our company's server has been compromised, and which data the attacker had access to, and which attack has been used, and have to figure out what the attacker took. The problem is that we do not have in-depth knowledge in analyzing packet capture data. We suspect that the attacker had connected to a few specific ports and had access to http, https, and ssh. But the problem is that we do not know what method the attack used to get in, and we don't know exactly what the attacker had access to, viewed, or downloaded from or to the company's server. We have already opened up the PCAP files in wireshark and run filters but we still aren't sure about how to determine exactly what has been accessed. Once we have the figured out what has occurred, we can move onto other forensic tools that we are more accustomed to for other files related to this case.

Are there any freeware tools and/or tutorials that you could recommend to help us in the right direction. Any advice would be greatly appreciated.

Thanks in Advance,
GrepMan
Back to top
View user's profile
RainMak3r
Newbie
Newbie


Joined: Apr 05, 2013
Posts: 2

PostPosted: Mon Apr 08, 2013 8:05 pm    Post subject: Reply with quote

Hi GrepMan,

You should have most of valuable evidences in you PCAP If the files was captured during the whole hacking event. But at least , I assume you have some info. 1st , when you mention specific ports http, https. Do you guys run web service on the server? If thats the case , its more likely the attack surface is your web service. Then attacker possibly get your etc/passwd or shadow password file somehow. After that they can ssh in. 2nd, keep in mind an attacker can always brute force a weak password and ssh in. So you need to check the PCAP how they ssh in or logs on the server. I also assume you already decrypt the encryption traffic in PCAP. So you should see what had happen as they are plaintext. 3rd, Attacker can also run exploit to grant server access. So you can do VulnScan against your server. 4th, to determine what information is accessed is related to server side forensic + PCAP files (if it records). 5th, firewall rules are also need to be examined. It's not a simple job until you are security professional and have the knowledge in different domains. So I suggest to contact IR/forensic people to deal it ASAP.

Cheers,
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.