1 / 25

Credit Card Compromise Investigation: Case Scenario

This scenario involves a client facing credit card compromise with USSS's notification. You will learn about identifying hacks, investigating data, validating credit card numbers, using software tools, and conducting a forensic investigation.

stacey
Download Presentation

Credit Card Compromise Investigation: Case Scenario

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credit Card Compromise Case Scenario by John Mallery

  2. Scenario • Client calls says they have an issue • They have been notified by the USSS they have had credit cards compromised through a “common point of purchase” investigation • They provide you with a hard drive only • They want to identify if a “hack” has taken place • What do you do?

  3. Process • Initial Issues and Questions • How do you know whether you have the correct drive? • What about date and time stamps? Are they valid? • Why or why not?

  4. Process • Where do you begin? • Forensically image drive • Develop an approach • What do you look for?

  5. Investigation • Forensically copy drive • Run Searches on the following: • Credit card numbers – identify if they are in plain text • IP addresses of System • Logs • Software installed • Internet History

  6. Investigation • On line storage sites • Removable drives • Test SAM database for missing passwords

  7. Credit Card Numbers • Grep Expression • Identifies possible credit card numbers • How can they be validated? • Which one is a valid credit card number? • 4012 8888 8888 1881 • 5432 1234 5411 1111 • 5454 5454 5454 5454

  8. Credit Card Numbers • Adhere to a strict format

  9. Luhn Algorithm (Mod10) • Starting with the rightmost digit (which is the check digit) and moving left, double the value of every second digit. • If a product results in two digits, subtract 9 • Add all numbers together. • The result should be divisible by 10

  10. An example 4012 8888 8888 1881 4 0 1 2 8 8 8 8 8 8 8 8 1 8 8 1 Multiply by 2 8 0 2 2 16 8 16 8 16 8 16 8 2 8 16 1 Double Digits (Subtract Nine) 8 0 2 2 7 8 7 8 7 8 7 8 2 8 7 1 Sum equals 90 Valid Number Who is the issuer?

  11. Online Credit Card Validator – would you use it?

  12. Credit Card Validator • Credit Card Verifier Software • Test and verify its functionality before using on suspect credit card numbers. • Disconnect from Internet • Start Process Monitor..\..\CCN\ProcessMonitor\Procmon.exe • Test on dummy CCN’s

  13. Initial Results • Found numerous numeric strings in plain text that appeared to be credit card numbers • Publicly routable IP Address • Nothing of relevance in logs • No functioning antivirus applications • PCAnywhere

  14. Initial Results • Internet History – lots of visits to non-business sites – YouTube, MySpace, eBay and personal surfing. • Removable drives had been used. • Administrator account with no password.

  15. Answer Found? • Have we identified whether the system had been hacked? • What is the next step?

  16. Boot the Image • Boot the image • How? • LiveView - http://liveview.sourceforge.net/

  17. LiveView Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk.

  18. LiveView What Do I Need To Run Live View? • VMware Server Full Install (Free Download) or VMware Workstation 5.5 (30 Day Trial) • Java Runtime Environment (http://www.java.com/getjava/) • VMware Disk Mount Utility (http://www.vmware.com/download/eula/diskmount_ws_v55.html) • A Microsoft Windows Machine (XP, 2000, or 2003) • Some Bit-for-Bit Disk Images

  19. LiveView • Demo (Maybe)

  20. SIFT Workstation • SANS Investigative Forensic Toolkit • https://forensics.sans.org/community/downloads/index.php • Need SANS portal account for downloads • Large file (1.35 GB)

  21. VFC – Virtual Forensic Computing • Commercial Product • VFC • Mount Image Pro • http://www.mountimage.com/ • VMWare Player, Workstation or Server • Demo

  22. Benefits of Booting Image • Identify Open portsnetstat and fport • Identify running processesPslist • Identify servicesPsservice • Programs scheduled to run at startupAutoruns and msconfig

  23. Additional Results • Port 80 open • Additonal Ports Open – remote control programs • Opened PC Anywhere – identified configuration settings and cracked passwordno security mechanisms implemented • In addition – no firewall on system or on network • Router – default username and password.

  24. End Result • 18,880 credit card numbers compromised • POS application known to have stored CCN’s in plain text. Patch existed, vendor never applied patch. • Costs – fines, investigation, legal fees • Client hopes to recover costs from vendor’s insurance company.

  25. Toys • WFA • User Assist : • The data about frequently used programs is kept in the registry under this key: • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist • This program decrypts and displays the data found in the registry under the UserAssist key • http://blog.didierstevens.com/programs/userassist/.

More Related