03 Jan Advanced Cyber Investigations

Many of today’s larger computer systems are using Unix based operating systems. It’s mostly due to lower cost. It has a reputation for being more secure than Windows, but this does not mean that it can’t be hacked. In fact, the infamous computer intrusion involving Equifax involved a Unix system.

To investigate these types of matters, there are three basic steps:

First, investigate the system while it is still active. In this step, you might be looking for programs that are running that aren’t supposed to . For example, the command (#ps -aux) will show you a list of all running processes. Now, let’s imagine you actually find this rogue process. There are two ways to copy it. You can copy it and rename it like this (#cp {path}/roguefile ./foundhackingtool.) Or, if the executable has already been deleted, take the PID for the process and copy it out like this (dd if=/proc/{PID} of=/tmp/recovered.{PID}.

Second, once you have found the actual computer that was compromised, you can take it offline and image it. From here, you perform what they call “dead box forensics.” An example of this might be pulling the log files and reviewing them.

Third, and perhaps most important, are the traditional investigative techniques. These involve searching online for people or groups that claim online to have knowledge or responsiblity for the intrusion.

If all of this sounds complicated – it is! Call us for help with your cyber investigation needs. It’s what we do.