I assume you can do packet traces and such on your LAN... try to get the offender's MAC address, which *can* be spoofed but normally allows you to identify a particular, unique, network interface (and thus, hopefully a machine). This can be much easier to suss out if you already have an inventory of MAC addresses on your LAN's machines. I hope I'm not too off-base here, although you did mention that you have some evidence of which machine and IP address is the (a?) culprit... if it is a shared machine, then it will depend on the operating system in use there. Full packet traces are a very valuable thing to have, since you may be able to identify if the perp was spoofing a MAC address that is known and trusted, from another [unknown, untrusted] piece of hardware, which could range from a common PC to a dreamcast or a handheld, physically tucked away somewhere. I'm not formally schooled in forensics, so I'm sure others could give better adivce here, but my understanding is that you want to be collecting as much credible evidence as possible right now! If you have a compromise, that can be tricky to establish. There are some nifty solutions, like running a syslog server's output to a line printer or directly burning it in sessions to CD-R, so that it cannot be modified. If you can provide any more info about your setup, I'm sure we could offer more suggestions. Also: are you seeking a referral or simply practical how-to-proceed advice? Aack, insider attack: the bane of sanity... (ie, it is hard to tell what paranoia levels are required to proceed.) good luck and take care, Ben On Thu, 19 Feb 2004 08:44:54 -0800 (PST) Mark Morrissey <markem@private> wrote: | | | This email was bounced because the sender address (JRedding@private) is | not subscribed to crime. Please reply to the original sender, not me. | | --mark | crime owner | | ----------------------------------------------------------------------- | | Date: Wed, 18 Feb 2004 14:52:14 -0800 | From: "Jacob E. Redding" <JRedding@private> | Reply-to: Jredding@private | To: crime@private | Subject: IT forensics advice | | Could anyone help out with some advice on how to track down an internal | "hacker". | | At this point we know that someone was able to enable the Guest account | AND | add that account to the administrators group. Also there is "new" | additional mail relaying through our SMTP servers. Also the person in | question has gained physical access to the servers as we have found | evidence of an additional machine being connected in our DMZ for a short | period of time. | | Now while we have some evidence as to the machine and IP address we need | advice on how to reference that information to a physical person and we | would like "legal" evidence (for reasons I wont' go into, but let's just | say some people are not happy). | | Thanks in advance for any tips, suggestions and advice you can lend. | | -Jacob Redding --
This archive was generated by hypermail 2b30 : Mon Feb 23 2004 - 13:11:19 PST