Title: Finding forensic evidence for several web attacks

Authors: Nataša Šuteva; Aleksandra Mileva; Mario Loleski

Addresses: Faculty of Computer Science, University Goce Delčev, Štip, Republic of Macedonia ' Faculty of Computer Science, University Goce Delčev, Štip, Republic of Macedonia ' Forensic Department, Ministry of Internal Affairs of the Republic of Macedonia, Skopje, Republic of Macedonia

Abstract: Symantec Internet Security Threat Report 2014 is showing a horrified fact, that when an attacker looked for a site to compromise, one in eight sites made it relatively easy to gain access. Digital forensics is one of our biggest line of defense against cyber criminals, because it provides evidence against them. For attacks against web applications, web application forensics is the branch which gives most of the answers. First, the victim machine usually gives some data, which are then used for identifying possible suspects, and this is followed by forensic analysis of suspects' devices, like computers, laptops, tablets, and even smart phones. In this paper, we use an attack scenario against the known vulnerable web application WackoPicko, using several web attacks: SQL injection, stored and reflected XSS, remote file inclusion, and commandline injection. We use post-mortem computer forensic analysis of attacker and victim machine to find some artefacts in them, which can help to identify and possible to reconstruct the attack, and most important, to obtain valid evidence which holds in court. We assume that the attacker was careless and did not perform any anti-forensic techniques on its machine.

Keywords: web application forensics; SQL injection; file inclusion; stored XSS; reflected XSS; command-line injection; web attacks; internet security; cyber attackes; digital forensics; web apps; attacker identification; hacker identification.

DOI: 10.1504/IJITST.2015.073938

International Journal of Internet Technology and Secured Transactions, 2015 Vol.6 No.1, pp.64 - 78

Available online: 29 Dec 2015 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article