Computer Forenisc investigation

Discussion in 'School Work Help' started by Choy1314, Apr 27, 2010.

  1. Choy1314

    Choy1314 Well-Known Member

    386
    53
    0
    Hi there guys need some help hope you guys can help

    im having an practical exam next week. the exam is set up as a server and im the investigator. i will be using VM ware workstation windows server 2003 .

    The story line is that the company has found out a large traffic on the server and they notice something is not write.

    i need to find out everything on the server what is going on there is 3 task and i dnt know what the task are yet.

    what are methods of finding out what is goin on in the server?

    things i might do is

    -Log File in the wondows system 32
    -and the Event Viewer.

    are there any software that i should use?

    such as fileziller

    etc.

    thanks
     
  2. filezilla is an ftp client... how will that help you tell you anything about the server?

    anyways, i am pretty sure these answers are given to you either by your prof in lectures, or in your books.

    if you want proper answers, look them up. otherwise, you'd be using people's guesses as your exam answers, which equals fail

    my 3 guesses:

    1. event viewer logs
    2. installed/running processes
    3. i dunno

    also, typos dude
     
  3. ab289

    ab289 Well-Known Member

    3,433
    414
    270
    my 2 cents:
    1) check if it's a Denial of Service attack.
    2) If it's legitimate hits, then check the CPU / RAM usage - is that the bottleneck?
    3) NIC bottleneck?
    4) Bad programming codes - use up too much resources?
     
  4. Knoctur_nal

    Knoctur_nal |Force 10 from Navarone|

    16,563
    662
    29
    For a starter, if this server is compromised with heavy traffic, then you may also look into a packet sniffer to determine what's going in and out.
    Looking into Wireshark [http://www.wireshark.org/] -intimidating at first, but effective after.
    Running processes and what apps they are attached too-Process Explorer-[http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx]
    Generic things such as checking the Host file for unwanted entries.
    Hell, a simple task as checking if the NIC is on a DHCP or Statically assigned IP and DNS Server should be included-pending the requirements and setup of the box.
    In addition, any unwanted app in the start up via the msconfig command-look that up.
    That should get you started.

    Knoc
     
  5. Choy1314

    Choy1314 Well-Known Member

    386
    53
    0
    Any other tips?
     
  6. fearless_fx

    fearless_fx Eugooglizer

    ctrl-alt-dlt FTW!
     
  7. Choy1314

    Choy1314 Well-Known Member

    386
    53
    0
    Anymore tips on finding problems on servers ? exam on this monday coming up need help guys.
     
  8. don't you have some course notes? im not sure why you would attempt to ask people who have not taken the course...
     
  9. Choy1314

    Choy1314 Well-Known Member

    386
    53
    0
    Hello guys well monday i had the practical exam on investigate a window server 2003. through a vmware workstation.

    i was using window 7 as my investagating machine.

    well first i used N-map software to scan the windwo server before i logged in.

    then after i scaned it i went to event viewer then safe some evidence through their. then i went to C drive to wondows folder then to system 32 to logfile then find informationg on their to.

    before the we started the exam we was giving a date on when the server was acting funny and slow speed and funny things was going on the server.

    i was going to used filezila to scan and connect to the server but i thought it was a bad idea on connecting to a infected machine to my investigation machine.

    and now i need to write a report about the exam.

    what you think i could of added or what else i could of done to find out more information or can lead up to more information to find more evidence on what could happen on that day.