A consultant is hired by a fortune 500 company that detected a malicious executable on a production server that stores customer data. The company is unsure how the malicious executable got on the server, or what data the executable may have been exposed. The company restored a six-month old backup, without the malicious executable, and the production database to a clean system prior to calling in the consultant in.
The consultant created a forensic image of the machine and then used BlackLight for analysis. BlackLight pared the download history for the system as well as the following Windows artifacts: jumplists, ShellBags, and prefetch. The Windows artifacts were examined for reference to the malicious executable. A file with a name similar to the executable was downloaded by an account with the name “adminnistrator” with two N’s. User Accounts, presented by BlackLight in Actionable Intel, revealed when the user account was created and last accessed. Because this information is all parsed immediately by BlackLight, the consultant was able to provide a quick update to the client.
The investigation continued, the consultant used more advanced analysis techniques like reviewing volume shadow copies and recovering files no longer on the system. This analysis allowed the consultant to determine the sequence of events led to the malicious executable and establish a timeline of the events. Network logs for the narrow time period of interest were reviewed, the analyst looking for unusual outbound connections that could indicate exfiltration of data. Hash sets for known vulnerable software revealed the system was not up-to-date with current patches, which would have prevented the events that led to the installation of the malicious executable. At the conclusion of examination, the client was provided with information on how the system was likely compromised, an indication of whether data was exfiltrated, and recommendations for preventing a similar attack in the future.
BlackLight provided quick access to data of interest in the Actionable Intel tab and Windows artifacts providing initial answers quickly.
A consultant is called in to determine how malicious code came to be running on a production server.
The consultant provided a timeline of events for this incident and provided recommendations to prevent similar attacks in the future.
BlackLight quickly and easily showed the Windows artifacts used to determined how the malicious code was introduced to the system and provided the ability to perform in-depth analysis of volume shadow copies.