In this article, I will show the progress of the investigation of a cyber incident using the example of the Hacked lab from the CyberDefenders resource . We will learn how to extract artifacts from a Linux system disk image, analyze them, and use this data to find out how the attacker compromised the system.
According to the scenario, the attackers hacked into the web server and took full control of it. Incident responders obtained a bit-by-bit copy of the system drive of a compromised Linux machine. Let's download the image file and start exploring it.
We divide our investigation into three stages:
According to the scenario, the attackers hacked into the web server and took full control of it. Incident responders obtained a bit-by-bit copy of the system drive of a compromised Linux machine. Let's download the image file and start exploring it.
We divide our investigation into three stages:
- Analysis of configuration files of the Linux operating system.
- Search for the entry point of intruders into the system.
- Search for post-exploitation methods in the system.
- FTK Imager is a disk imaging and analysis tool.
- R-Studio is a utility for recovering data from a disk.
- Plaso is a Python utility designed to generate the time of operating system events.