KontrolOne™ Digital Forensics Case Study

Denial of Service Incident
IT Company, Kent, May 2010

The Investigation
In may 2010 a client approached us having been the victim of a denial of service (DoS) attack, believed to have been perpetrated by a former employee.

Analysis of the server logs, and of code on the web server which was the subject of the attack, found that the attacker had accessed a specially designed back-door page and executed a delete command on the SQL database within the server. This caused several key websites to be taken down for a period of around 36 hours.

Emails sent from the former employee's home computer were found to have originated from an IP address also present on the server logs at the time of the attack, and this was verified by the suspect's Internet Service Provider.

Along with an ongoing dispute over intellectual property, Police had sufficient evidence to arrest the suspect under the Computer Misuse Act 1990. This followed an investigation that lasted for almost a year.

Lessons for the Client
No record of the command executed on the database was found because the SQL logs had been removed and SQL logging disabled during or after the attack. Centralised logging on a secure server within the client organisation would have made this much more difficult for the attacker.

Steps could be taken to prevent SQL injection attacks by minimising the error reporting, particularly when presented to external or unauthorised IP addresses.

Evidence must be seized as soon as realistically possible in order to minimise the opportunity any attacker may have to delete incriminating information. In this case the HTCU backlog prevented vital evidence from being seized and made available to our investigators.

Further Information

For further details of our digital forensics services, please make an online enquiry or call us on 0843 289 6736.