This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
Don't trample evidence in a breach. Missteps in an investigation will cost you in court.
From all indications, something bad had happened. After installing an intrusion prevention system, the security team at UW Medicine spotted several machines trying to communicate with an IRC botnet server in France. Cindy Jenkins, a security engineer and computer forensics expert at the medical and research organization, immediately went on a hunt for clues behind the suspicious activity.
Hours spent combing through images of the hard drives from the infected PCs turned up the attackers' tools: an IRC bot, a rootkit and an FTP server. Passive network scanning detected more compromised systems. To save time, Jenkins made hash sets--digital fingerprints--of the malware so she could look just for the hash sets when inspecting additional images. She determined the machines were infected 18 to 24 months earlier--before the IPS and other security measures were installed.
It appeared that UW Medicine, part of the University of Washington, had been attacked by resource hogs--intruders who don't target data but exploit the speed and ample storage of university networks in order to share movies and music. But then she discovered something that didn't match the original hash sets. The attackers had done more than steal resources; they had accessed the password file for UW Medicine's Windows domain.
"I pretty much stopped breathing there, then lit up
Although there was no evidence the intruders had used the passwords, time stamps indicated they had accessed them. The case was turned over to the FBI, along with Jenkins' carefully documented work.
"Forensics is a lot like coding. You have to have very strong concentration and you have to be able to think analytically," says Jenkins. "You need to pull apart all the little pieces, add up the puzzle. It's like being a detective."
This was first published in September 2007