Forensic Analysis of a Compromised Intranet Server

Nowadays companies are geographically distributed, thanks to the globalisation and the pervasive presence of the Internet. Employees can be very collaborative despite their location and distance, but this could have some drawbacks. One issue may be related to organization hardware and software inventory managed by system administrators located in the company headquarters. If they don't have expensive management and configuration software available updated or they aren't timely about hardware and software changes by branch office personnel they would not be aware of the resources they are managing and the security vulnerability risks could increase. It could sometimes happen that some minor company servers become completely forgotten so they run unpatched and without antivirus signature update, paving the way to the spreading of viruses and worms. Without countermeasures in place, driven by system administrators, employees may be unaware of such risks and they may continue to use those servers for daily operations, contributing to the spreading of malware infections. This document details the forensic analysis process of a compromised Intranet server, from the verification stage to the dissection of malware code, supported by an explanation of the followed methodology.