Skip navigation

A forensics approach to digital fingerprinting on Windows servers

A forensics approach to digital fingerprinting on Windows servers

Oso, Christie and Gan, Diane ORCID logoORCID: https://orcid.org/0000-0002-0920-7572 (2012) A forensics approach to digital fingerprinting on Windows servers. In: CFET 2012 : Cybercrime Forensics Education & Training. The 6th International Conference on Cybercrime Forensics Education & Training., 6-7 Sep 2012, Canterbury Christ Church University, Canterbury, Kent, UK.

Full text not available from this repository.

Abstract

The internet has placed a major part in the increase of cybercrime on computers and networks by making attack tools available to everyone. With the number of cyber attacks on the increase this has resulted in the security of networks being severely diminished. The use of digital fingerprinting technologies has facilitated the collection of evidence to use in the prosecution of cyber criminals who have left behind vital evidence when compromising servers. Research has shown that cyber attacks are often carried by an employee within an organisation. This research demonstrates how the computers within a network can be used to breach a server within the same network. The work was carried out in a virtual environment using a Window 2003 Small Business Server and two computers running Windows XP operating systems. A variety of attack tools were used to simulate an insider attack on the server. The attack phase consisted on the following steps:- scanning, enumeration and vulnerability assessment. The experiment demonstrated how the administrator password was easily compromised by an unauthorised user, using the Cain and Able tool. The consequence of this was a network breach that created a number of new user accounts in the admin and user groups, exposed vulnerable ports; the attacker could copy, insert and delete files and logs at will. The attacker was able to remotely log in to the server. Other exploits included the creation a backdoor to communicate with a remote server. Compromised computers within the network also became part of a botnet. The attack tools used, e.g. Nmap, were successful in penetrating the server, but this could just as easily have been carried out by an external attacker, as the vulnerability assessment clearly collaborated this. Further, security policies, especially for passwords, were also disabled which permitted users to set up weak passwords and this included the Administrator account. The digital fingerprint left behind during these attacks was analysed and the results are presented here. This research has demonstrated how to create a testbed for training purposes to defend against the greatest threat to any network which comes from the insider. The workstation on the network was able to breach the target server, but it did leave a digital footprint behind. This type attack would cause the most damage, which would be particularly true if the attack was carried out by a trusted employee who had access to a number of key network resources within the organisation.

Item Type: Conference or Conference Paper (Paper)
Additional Information: [1] This paper was first presented at CFET 2012: Cybercrime Forensics Education & Training, the 6th International Conference on Cybercrime Forensics Education & Training. held from 6-7 September 2012 at Christchurch Canterbury, Canterbury, Kent, UK.
Uncontrolled Keywords: extracting information, password cracking, vulnerability assessment, attack tools, digital fingerprinting, forensics
Subjects: Q Science > QA Mathematics > QA76 Computer software
Pre-2014 Departments: School of Computing & Mathematical Sciences
Related URLs:
Last Modified: 14 Oct 2016 09:24
URI: http://gala.gre.ac.uk/id/eprint/9944

Actions (login required)

View Item View Item