A Consultant is Called in to Determine What Happened

A consultant is hired by a Fortune 500 company that detected a malicious executable on a production server that stores customer data.  The company is unsure how the malicious executable got on the server, or what data the executable may have been exposed.  The company restored a six-month-old backup, without the malicious executable, and the production database to a clean system prior to calling in the consultant.

The consultant created a forensic image of the machine and then used Cellebrite Inspector for analysis. Cellebrite Inspector pared the download history for the system as well as the following Windows artifacts: jumplists, ShellBags, and prefetch. 

The Windows artifacts were examined for reference to the malicious executable.  A file with a name similar to the executable was downloaded by an account with the name “adminnistrator” with two N’s.  User Accounts, presented by Cellebrite Inspector in Actionable Intel, revealed when the user account was created and last accessed. 

Because this information is all parsed immediately by Cellebrite Inspector, the consultant was able to provide a quick update to the client.

The investigation continued, the consultant used more advanced analysis techniques like reviewing volume shadow copies and recovering files no longer on the system.  This analysis allowed the consultant to determine the sequence of events that led to the malicious executable and establish a timeline of the events. 

Network logs for the narrow time period of interest were reviewed, the analyst looking for unusual outbound connections that could indicate ex-filtration of data.  Hash sets for known vulnerable software revealed the system was not up-to-date with current patches, which would have prevented the events that led to the installation of the malicious executable. 

At the conclusion of the examination, the client was provided with information on how the system was likely compromised, an indication of whether data was ex-filtrated, and recommendations for preventing a similar attack in the future.

“Because information of interest is all parsed immediately by Cellebrite Inspector, I was able to provide a quick update to the client.” -Private Consultant for a Fortune 500 Company 

Main Takeaways:

  • When malicious code was discovered on a production server that stored customer data, a consultant was called in to uncover what happened.
    Cellebrite Inspector used to examine the system, parsed the download history, jumplists, ShellBags, and prefetch providing some quick clues about how the code got on the system.

  • Cellebrite Inspector was used to examine volume shadow copies, recovering files no longer on the machine, and providing a timeline of events.

  • The client was provided with information on how the system was likely compromised, an indication of whether data was exfiltrated, and recommendations for preventing a similar attack in the future.


Quick Facts

Features: 

Cellebrite Inspector provided quick access to data of interest in the Actionable Intel tab and Windows artifacts providing initial answers quickly.

Problem Solved:

A consultant is called in to determine how malicious code came to be running on a production server.

Solution Provided:

The consultant provided a timeline of events for this incident and provided recommendations to prevent similar attacks in the future.

Overall Results:

Cellebrite Inspector quickly and easily showed the Windows artifacts used to determine how the malicious code was introduced to the system and provided the ability to perform an in-depth analysis of volume shadow copies.

Share this post