11/9/22, 10:13 AM CyberQ - Lab Guide

CyberQ Document

Module 11: Database Forensics

Lab Scenario
Amy, working as an incident handling manager with a software development company, was notified of their products being available in the
market before the official release. As an incident manager, she suspected a security breach and reported this to the FBI.

An investigative team of cybercrime experts visited the firm and started their initial investigation. Later, they found that some unknown
persons had hacked the database to steal the products, and also suspected that someone from inside the company had helped the
perpetrators.

Lab Objectives
The objective of this lab is to offer complete information on how to perform database forensics. The tasks include extracting information
from different databases such as SQLite and MySQL server, and performing a forensic investigation on them.

Overview of Database Forensics

Databases store all data pertaining to a web application and allow users to view, access, manage, and update their information. In some
cases, either the databases or the web applications may contain vulnerabilities that allow attackers to manipulate the database contents.

While performing database forensics, you can use timestamps to check and validate the user activities on a database. You should also focus
on identifying the transactions that occurred in a database system for fraud verification. As a forensic investigator, you must have a sound
knowledge of different databases and how to retrieve and analyze data stored in databases without any damage, thereby ensuring its
authenticity and legal admissibility.

Lab Tasks
Recommended labs to assist you in database forensics:

Analyzing SQLite Databases

Performing Forensic Investigation on MySQL Database

Lab 1: Analyzing SQLite Databases

Lab Scenario

Ryan has lodged a complaint with the authorities regarding a security breach in his gaming company that has caused him financial losses.
An investigation into the incident revealed that the company was using SQLite databases to store information, and that they had failed to
update the database software. Investigators also found that the attacker had used a vulnerability scanner to hack into the database.

As a forensic investigator, you should be aware of all database technologies being used, including tools required to analyze the data in
them. You can analyze the SQLite databases using DB Browser for SQLite.

Lab Objectives

Investigators can use tools like DB Browser for SQLite to create, design, and edit database files compatible with SQLite. It uses a
spreadsheet-like interface that helps investigators run simple SQL queries and inspect tables, indexes, and records within SQLite database.

In this lab, you will learn how to analyze the SQLite databases using the open-source tool DB Browser for SQLite.

Overview of the Lab

This lab familiarizes you with the process of examining SQLite databases to find the artifacts of a cybercrime. Examining SQLite databases is
an important part of digital forensics that helps forensic investigators obtain data of evidentiary value so that the perpetrator of a
cybercrime can be identified and prosecuted.

Lab Tasks
1. Select CHFIV10 WINDOWS SERVER 2016 virtual machine and click Ctrl+Alt+Del.

about:blank 1/82
11/9/22, 10:13 AM CyberQ - Lab Guide

2. By default, Administrator user profile is selected, type qwerty@123 in the Password field and press Enter to login.

Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

about:blank 2/82
11/9/22, 10:13 AM CyberQ - Lab Guide

3. In this lab, we will be examining databases extracted from an Android device located at C:\CHFI-Tools\Evidence Files\Databases for
Analysis\SQLite Databases.

4. Navigate to C:\CHFI-Tools\CHFIv10 Module 11 Database Forensics\Database Analysis Tools\SQLite Database Analysis Tools\DB
Browser for SQLite, and double-click DB.Browser.for.SQLite-3.12.0-win64.msi.

Note: If an Open File Security Warning pop-up appears, click Run.

Note: When an End-User License Agreement appears, check I accept the terms in the license agreement and click
Next.

about:blank 3/82
11/9/22, 10:13 AM CyberQ - Lab Guide

5. When the Shortcuts section of the setup appears, check the Desktop and Program Menu options under DB Browser (SQLite), as
shown in the screenshot below. This will allow you the convenience of launching the application both from the Desktop and the
Program Menu.

about:blank 4/82
11/9/22, 10:13 AM CyberQ - Lab Guide

6. In the final step of installation, click Finish to complete the installation.

about:blank 5/82
11/9/22, 10:13 AM CyberQ - Lab Guide

7. Now navigate to the Desktop and launch DB Browser (SQLite) by double-clicking on its shortcut icon.

about:blank 6/82
11/9/22, 10:13 AM CyberQ - Lab Guide

8. The DB Browser for SQLite GUI will appear. Click Open Database in the toolbar.

about:blank 7/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: If New version available pop-up appears, select Don't show again to proceed

9. The Choose a database file window will now appear. Navigate to C:\CHFI-Tools\Evidence Files\Databases for Analysis\SQLite
Databases, select accounts.db, and click Open.

about:blank 8/82
11/9/22, 10:13 AM CyberQ - Lab Guide

10. The application displays the structure of accounts database under the Database Structure tab, as shown in the following screenshot:

about:blank 9/82
11/9/22, 10:13 AM CyberQ - Lab Guide

11. Click Browse Data tab to view the data in the accounts database. Upon clicking the Browse Data tab, the accounts table will be
selected by default in the Table drop-down list, and its contents will be displayed under the Table section. To view the database
schema, click on the DB Schema tab, as indicated in the screenshot below, and it will be displayed to you in the lower-right section of
the application window.

about:blank 10/82
11/9/22, 10:13 AM CyberQ - Lab Guide

12. From the above screenshot, we can infer that the device was synchronized with two accounts on two services: WhatsApp and Viber.

13. Similarly, you can also view the contents of other tables by selecting them from the Table drop-down list. The screenshot below shows
the contents of the accounts table.

about:blank 11/82
11/9/22, 10:13 AM CyberQ - Lab Guide

14. Now, we shall view the information stored in the browser2 database. To upload this database, click Open Database from the toolbar
of the DB Browser for SQLite window, as indicated in the following screenshot:

about:blank 12/82
11/9/22, 10:13 AM CyberQ - Lab Guide

15. The Choose a database file window will appear. Navigate to the location C:\CHFI-Tools\Evidence Files\Databases for
Analysis\SQLite Databases, select browser2.db, and click Open.

about:blank 13/82
11/9/22, 10:13 AM CyberQ - Lab Guide

16. The browser2 database file opens in DB Browser for SQLite with the _sync_state table selected by default under Browse Data tab, as
shown in the screenshot below:

about:blank 14/82
11/9/22, 10:13 AM CyberQ - Lab Guide

17. We shall now examine the bookmarks created on the browser.

18. Therefore, under the Browse Data tab, select bookmarks from the Table drop-down list. This operation will display all the
searches/URLs bookmarked on the device, as shown in the following screenshot:

about:blank 15/82
11/9/22, 10:13 AM CyberQ - Lab Guide

19. Now, we shall examine the browser history stored in the selected browser database. To view browser history, select the history table
from the Table drop-down list under the Browse Data tab, as indicated in the screenshot below:

about:blank 16/82
11/9/22, 10:13 AM CyberQ - Lab Guide

20. We shall now examine the artifacts stored in sqlite_sequence table. This table stores information related to history (number of
websites browsed) and bookmarks (number of websites bookmarked). To view this data, select sqlite_sequence table from the Table
drop-down list under the Browse Data tab:

about:blank 17/82
11/9/22, 10:13 AM CyberQ - Lab Guide

21. Now, we shall examine the contacts database to view the contacts and the call history logs in the device.

22. To view the contacts database, click Open Database in the toolbar of the DB Browser for SQLite window. When the Choose a
database file window appears, navigate to C:\CHFI-Tools\Evidence Files\Databases for Analysis\SQLite Databases, select
contacts2.db, and then click Open.

about:blank 18/82
11/9/22, 10:13 AM CyberQ - Lab Guide

23. If a Collation needed! Proceed? dialog box appears, click Yes to proceed.

about:blank 19/82
11/9/22, 10:13 AM CyberQ - Lab Guide

24. You will see the _sync_state table selected by default in the Table dropdown list under the Browse Data tab.

about:blank 20/82
11/9/22, 10:13 AM CyberQ - Lab Guide

25. Now, we shall examine the contents of raw_contacts table that lists contact–related information such as display name, account id,
sourceid, version, last time contacted, etc.

26. To view the contacts stored in the database, select raw_contacts table from the Table drop-down list. The contents of the
raw_contacts table are displayed as indicated in the following screenshot:

about:blank 21/82
11/9/22, 10:13 AM CyberQ - Lab Guide

27. You can scroll right in the Table section to view all the data mentioned earlier, as indicated in the screenshot below:

about:blank 22/82
11/9/22, 10:13 AM CyberQ - Lab Guide

28. Now, we shall examine the calls table. The calls table contains the call history entries associated with the device. This table lists details
such as dialed numbers, dialed contact name, timestamp, call duration, etc.

29. To view this information, select calls from the Table drop-down list under the Browse Data tab, as indicated in the screenshot below:

about:blank 23/82
11/9/22, 10:13 AM CyberQ - Lab Guide

30. Scroll right in the Table section to view all the data stored in the table, as indicated in the screenshot below:

about:blank 24/82
11/9/22, 10:13 AM CyberQ - Lab Guide

31. We shall now examine the data stored in msgstore database. The msgstore database contains information related to the messages
stored on the device, timestamps of the sent and received messages, subject of the message, etc.

32. To view the contents of the msgstore database, click Open Database from the toolbar of the DB Browser for SQLite window. When
the Choose a database file window appears, navigate to C:\CHFI-Tools\Evidence Files \Databases for Analysis\SQLite Databases,
select msgstore.db, and click Open.

about:blank 25/82
11/9/22, 10:13 AM CyberQ - Lab Guide

33. When the msgstore.db file opens on the tool, the chat_list table will be selected as the Table under the Browse Data tab by default.
The chat_list table contains information such as subject of the message, key remote id, message creation time, etc., as shown in
the following screenshot:

about:blank 26/82
11/9/22, 10:13 AM CyberQ - Lab Guide

34. To find the number of messages, group participants, group participant history, etc., you may select the sqlite_sequence table from
the Table drop-down list under the Browse Data tab, as shown in the screenshot below:

about:blank 27/82
11/9/22, 10:13 AM CyberQ - Lab Guide

35. Similarly, you can also examine the artifacts stored in other tables of the database.

36. Now, we shall examine the data stored in WhatsApp database, denoted by wa. The wa database contains information related to the
WhatsApp messages stored on the device, timestamps of the sent and received messages, subject of the message, etc.

37. To view the contents of the wa database, click Open Database from the toolbar of the DB Browser for SQLite window. The Choose a
database file window will now appear. Navigate to C:\CHFI-Tools\Evidence Files\Databases for Analysis\SQLite Databases, select
wa.db, and then click Open.

about:blank 28/82
11/9/22, 10:13 AM CyberQ - Lab Guide

38. When the wa.db file opens in the tool, select sqlite_sequence table from the table drop-down list under the Browse Data tab, as
shown in the screenshot below:

about:blank 29/82
11/9/22, 10:13 AM CyberQ - Lab Guide

39. To examine the details related to WhatsApp contacts on the device, such as their display names, given names, numbers, jid, etc.,
select wa_contacts table from the table drop-down list under the Browse Data tab, as shown in the screenshot below:

about:blank 30/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: To view all the details associated with the contacts, scroll right in the Table section.

40. We shall now examine the artifacts stored in the locksettings database. The locksettings database contains settings such as the
status of the lock screen, lockscreen password type, status of the lockscreen pattern autolock (enabled or disabled), visibility of
the lockscreen pattern, etc.

41. To view the settings in the locksettings database, click Open Database from the toolbar of the DB Browser for SQLite window. The
Choose a database file window will appear. Navigate to C:\CHFI-Tools\Evidence Files\Databases for Analysis\SQLite Databases,
select locksettings.db, and then click Open.

about:blank 31/82
11/9/22, 10:13 AM CyberQ - Lab Guide

42. When the locksettings.db file opens in the tool, select locksettings from the Table drop-down list under the Browse Data tab to
view the settings associated with the lock screen pattern, as shown in the following screenshot:

about:blank 32/82
11/9/22, 10:13 AM CyberQ - Lab Guide

43. If you want to save these artifacts for further reference/investigation, click on File from the menu bar, then click on Export, and then
click on Table(s) as CSV file… option from the Export drop-down menu.

about:blank 33/82
11/9/22, 10:13 AM CyberQ - Lab Guide

44. An Export Data as CSV window will appear. Select locksettings in the Table(s) section, and then click Save.

about:blank 34/82
11/9/22, 10:13 AM CyberQ - Lab Guide

45. A Choose a filename to export data window will appear. Choose a filename, its extension, and the location where you want to save
the file, and then click Save. Here, we have named the file locksettings, chosen a .csv extension, and are exporting/saving the file to
Desktop.

about:blank 35/82
11/9/22, 10:13 AM CyberQ - Lab Guide

46. Export completed pop-up appears. Click OK.

about:blank 36/82
11/9/22, 10:13 AM CyberQ - Lab Guide

47. The file pertaining to locksettings table will be saved to the chosen location as a .CSV file. If you want to access its contents, navigate
to the location where it is saved, and then double-click the file to open it and read its contents. Similarly, you can retrieve information
from tables stored in other databases and save them for further reference/investigation.

48. You can thus analyze and retrieve information from all databases compatible with SQLite using DB Browser for SQLite.

49. Close all open windows.

Lab 2: Performing Forensic Investigation on MySQL Database

Lab Scenario

A suspicious post was found on a WordPress website’s homepage, which indicates that a suspicious activity had occurred on the backend
database. The objective of this lab is to find the malicious user who gained access to MySQL server and examine the activities performed by
him/her on the WordPress website.

Lab Objectives

MySQL is an open-source relational database management system used in web applications.

In this lab, you will learn how to examine MySQL databases and identify the transactions/activities by a suspicious user.

Overview of the Lab

This lab familiarizes you with the process of investigating a MySQL database to find the activities performed by a malicious user on a
WordPress website.

Lab Tasks
1. Select CHFIV10 WINDOWS SERVER 2016 virtual machine and click Ctrl+Alt+Del.

about:blank 37/82
11/9/22, 10:13 AM CyberQ - Lab Guide

2. By default, Administrator user profile is selected, type qwerty@123 in the Password field and press Enter to login.

Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

about:blank 38/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: As you have already logged on to CHFIV10 WINDOWS SERVER 2016 virtual machine (in the previous lab), you can
skip above steps.

3. Navigate to C:\CHFI-Tools\CHFIv10 Module 11 Database Forensics\Database Analysis Tools\MySQL Database Analysis

Tools\Hex Workshop Hex Editor, double-click hw_v680.exe, and follow the wizard-driven installation steps to complete the
installation of Hex Workshop Hex Editor.

Note: If Open File - Security Warning pop-up appears, click Run.

about:blank 39/82
11/9/22, 10:13 AM CyberQ - Lab Guide

4. Upgrade Older Versions section appears now; select Yes, remove older versions., and click Next to proceed.

about:blank 40/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: If an End-User License Agreement appears, click I accept the terms in the License Agreement and click Next.

5. When the Choose Setup Type section appears, click on the Custom Installation icon.

about:blank 41/82
11/9/22, 10:13 AM CyberQ - Lab Guide

6. When the Custom Setup section appears, click Next and follow the subsequent steps to complete the installation.

7. In the last step of the installation, ensure that view readme file option is unchecked, and then click Finish.

about:blank 42/82
11/9/22, 10:13 AM CyberQ - Lab Guide

8. On completing the installation, when an Installer Information dialog box appears, click Yes to restart the virtual machine to allow the
configuration changes to take effect.

about:blank 43/82
11/9/22, 10:13 AM CyberQ - Lab Guide

9. Select CHFIV10 WINDOWS SERVER 2016 virtual machine and click Ctrl+Alt+Del.

about:blank 44/82
11/9/22, 10:13 AM CyberQ - Lab Guide

10. By default, Administrator user profile is selected, type qwerty@123 in the Password field and press Enter to login.

Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

about:blank 45/82
11/9/22, 10:13 AM CyberQ - Lab Guide

11. Now, before starting the lab task, you need to ensure that wampserver64 icon is displayed at the bottom-right corner in the task bar
notification area and has turned green. This is to ensure that wampserver64 has been initialized.

about:blank 46/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: In case the Wampserver icon is not displayed in the task bar notification area as described above, click on the Start
button (Windows icon) at the bottom left corner of the screen. From the Start menu, select the Wampserver64 icon under
the Wampserver64 folder, as indicated in the screenshot below. Wampserver will now be initialized and displayed to you
in the task bar notification area in green, as indicated earlier. A green Wampserver icon means it has been initialized.

Note: Please wait until the Wampserver icon turns green. It might take 4-5 minutes.

about:blank 47/82
11/9/22, 10:13 AM CyberQ - Lab Guide

12. Now, navigate to C:\CHFI-Tools\Evidence Files\Databases for Analysis\MySQL Databases\data and copy the
wordpress_evidence.sql file.

about:blank 48/82
11/9/22, 10:13 AM CyberQ - Lab Guide

13. Now, paste the wordpress_evidence.sql file in C:\wamp64\bin\mysql\mysql5.7.26\bin

about:blank 49/82
11/9/22, 10:13 AM CyberQ - Lab Guide

14. Now, go back to C:\wamp64\bin\mysql\mysql5.7.26, select bin folder, hold Shift on the keyboard, and then right-click on the
selected bin folder. A Context menu appears; select Open command window here.

about:blank 50/82
11/9/22, 10:13 AM CyberQ - Lab Guide

15. A Command-line window appears, pointing to the C:\wamp64\bin\mysql\mysql5.7.26\bin folder.

about:blank 51/82
11/9/22, 10:13 AM CyberQ - Lab Guide

16. Type the command mysql -u root -p and press Enter. Here, -u parameter stands for username and -p parameter stands for
password. You will now be asked to enter a password. In the Enter password field, press Enter without issuing any password.

17. A mysql shell will appear, as shown in the following screenshot:

about:blank 52/82
11/9/22, 10:13 AM CyberQ - Lab Guide

18. Now, type create database wordpress; in the shell and press Enter. This creates a database named wordpress. Once done, type \q
and press Enter to exit the mysql shell.

about:blank 53/82
11/9/22, 10:13 AM CyberQ - Lab Guide

19. Now, we shall copy the contents of the wordpress_evidence.sql dump file (also known as a backup file) to the newly created
database.

20. To copy its contents, type mysql -u root -p wordpress < wordpress_evidence.sql in the command prompt and press Enter. You will
be asked to enter a password. In the Enter password field, press Enter without issuing any password.

about:blank 54/82
11/9/22, 10:13 AM CyberQ - Lab Guide

21. Now, login to mysql shell by entering the mysql -u root -p command, leaving the password field blank, and pressing Enter. To
examine the contents of the wordpress database, we need to run the use command on it. Therefore, upon entering the mysql shell,
type use wordpress; and press Enter to use the wordpress database.

about:blank 55/82
11/9/22, 10:13 AM CyberQ - Lab Guide

22. Now, we shall view the tables in the wordpress database. To view the tables, type the command show tables; and press Enter.

about:blank 56/82
11/9/22, 10:13 AM CyberQ - Lab Guide

23. The wp_users table contains all user accounts associated with the wordpress website. To view the users, type the command select *
from wp_users; and press Enter. When the users are listed, we see that a malicious user account with the username bad_guy is
present in the table. Let us make a note of the user ID, which is 125, as seen in the screenshot below:

about:blank 57/82
11/9/22, 10:13 AM CyberQ - Lab Guide

24. Since the scenario at the beginning of the lab states that a suspicious post was found on the webpage, we shall now view the columns
in the wp_posts table. To view the columns, type the command show columns in wp_posts; and press Enter. Upon running the
command, we see that there is a column named post_author, which corresponds to the posts made by the users.

about:blank 58/82
11/9/22, 10:13 AM CyberQ - Lab Guide

25. Now, using post_author and the bad_guy user id, we can collect all the posts made by the suspicious user (bad_guy). To collect these
posts, type the following lines one by one and press Enter:

select * from wp_posts

where post_author = '125'

into outfile 'evidence.txt';

Note: Upon running the above set of commands, if you see the error highlighted in the screenshot below, you will need to
disable the --secure-file-priv option in MySQL server.

about:blank 59/82
11/9/22, 10:13 AM CyberQ - Lab Guide

26. To disable the --secure-file-priv option in the MySQL server suggested above, minimize the command prompt window that is
running the mysql shell, click on the Windows icon at the bottom-left of the screen, and then type and search for Run.

27. Click on the Run option from the search results. When the Run dialog box appears, type services.msc and click OK.

about:blank 60/82
11/9/22, 10:13 AM CyberQ - Lab Guide

28. The Services window will appear. Scroll down this window to find wampmysqld64, select it, right-click on it, and then select the Stop
option from the context menu, as shown in the screenshot below:

about:blank 61/82
11/9/22, 10:13 AM CyberQ - Lab Guide

29. Now minimize the Services window and navigate to C:\wamp64\bin\mysql\mysql5.7.26. Select the my.ini file, right-click on it, and
then click on the Edit with Notepad++ option from the context menu.

about:blank 62/82
11/9/22, 10:13 AM CyberQ - Lab Guide

30. In the my.ini file that appears through Notepad++, search for the line that reads secure_file_priv="c:/wamp64/tmp". Edit this line
to secure_file_priv="" to disable the --secure-file-priv option in MySQL server. This step has been demonstrated through the two
screenshots below:

about:blank 63/82
11/9/22, 10:13 AM CyberQ - Lab Guide

about:blank 64/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: If a Notepad++ update dialog-box appears, select No.

31. Now, save the above file by clicking on File in the menu bar and then selecting Save. Close the window after saving the file.

about:blank 65/82
11/9/22, 10:13 AM CyberQ - Lab Guide

32. Now, go back to the Services window minimized earlier, select wampmysqld64, right-click on it, and then click on Start from the
context menu. This will start the wampmysqld64 service again. Close the Services window.

about:blank 66/82
11/9/22, 10:13 AM CyberQ - Lab Guide

33. Now, go back to the command prompt window running the mysql shell that you had minimized earlier, input the same set of
commands given below one by one, and press Enter. You will now see the desired result.

select * from wp_posts

where post_author = '125'

into outfile 'evidence.txt';

about:blank 67/82
11/9/22, 10:13 AM CyberQ - Lab Guide

34. When we run the above commands, the posts made by the malicious user whose user ID is 125 are collected and saved to a file
named evidence.txt in the location C:\wamp64\bin\mysql\mysql5.7.26\data\wordpress

35. Now, navigate to the location specified above and open the evidence.txt file by right-clicking on it and selecting Edit with
Notepad++.

about:blank 68/82
11/9/22, 10:13 AM CyberQ - Lab Guide

36. In this file named evidence.txt, you will find all posts made by the malicious user on the target WordPress website. As we can
observe in the screenshot below, a post made by the malicious user on the target website reads as: It was so easy to hack into the
web application. Never thought it would be such easy to get into this!!! Never thought this would happen.

about:blank 69/82
11/9/22, 10:13 AM CyberQ - Lab Guide

37. Close the file and the Command-line window. Now, we shall track all transactions performed by the malicious user.

38. The binary log files store all transactions occurring on databases. As an investigator, you can examine these files to track the
transactions performed by a user on a target database.

39. Navigate to C:\CHFI-Tools\Evidence Files\Databases for Analysis\MySQL Databases\data. Here, you will find all logs associated
with the wordpress database, as shown in the following screenshot:

about:blank 70/82
11/9/22, 10:13 AM CyberQ - Lab Guide

40. Since the malicious user created a user account for himself with the login name bad_guy, you may analyze the wp_users.frm file with
a hex editor like Hex Workshop Hex Editor that contains a list of login names associated with the users.

Note: wp_users is a table that contains columns to store the list of registered users of a WordPress website. You can find
information such as usernames, WordPress passwords, email IDs, display names, etc. Hence, considering the importance
of such information, we examine the wp_users.frm file.

41. Open wordpress folder, select and right-click on the wp_users.frm file, and then select Hex Edit with Hex Workshop v6.8 from the
context menu.

about:blank 71/82
11/9/22, 10:13 AM CyberQ - Lab Guide

42. The Hex Workshop Hex Editor application will now open. Scroll down the application window; we can observe that the login names
are stored under the user_login column. Highlight the string user_login using the mouse cursor so that the column name’s
hexadecimal equivalent, which is 757365725F6C6F67696E, is also highlighted in the left pane of the window, as indicated in the
screenshot below:

about:blank 72/82
11/9/22, 10:13 AM CyberQ - Lab Guide

43. With the help of the hexadecimal equivalent of user_login parameter, which is 757365725F6C6F67696E, we shall first try to locate the
attacker’s login name from the binary logs, and from there on, we shall trace the activities performed by the attacker.

44. To do so, we shall analyze the log file named mysql-bin.000034. To find the file, navigate to C:\CHFI-Tools\Evidence Files\Databases
for Analysis\MySQL Databases\data, select the file mysql-bin.000034, and open it by right-clicking on it and then selecting Hex
Edit with Hex Workshop v6.8 from the context menu, as indicated in the screenshot below:

about:blank 73/82
11/9/22, 10:13 AM CyberQ - Lab Guide

Note: For the purpose of demonstration, we have directly examined the log file mysql-bin.000034 to find the artifacts that
are forensically relevant to us in this lab. In a real-life scenario, you need to go through all MySQL binary logs to trace the
identity and activities of any malicious user.

45. When the mysql-bin.000034 file opens in Hex Workshop tool, choose Edit from the toolbar and click Find… from the drop-down
menu.

about:blank 74/82
11/9/22, 10:13 AM CyberQ - Lab Guide

46. The Find window appears. Under the Criteria tab, ensure that Hex Values is selected in the Type field (A). Now, type the hexadecimal
value 757365725F6C6F67696E obtained from the wp_users.frm file in the Value field (B), which automatically translates to
user_login in the Text field (C). Select the Direction as Down and click OK.

about:blank 75/82
11/9/22, 10:13 AM CyberQ - Lab Guide

47. We find the hexadecimal value 757365725F6C6F67696E highlighted in the file along with the associated text ‘user_login’. We also
find many other text strings such as ‘user_pass’, ‘user_nicename’, and ‘user_email’, along with their values such as ‘bad_guy’,
‘pass123’, ‘anonymous_hacker’, and ‘badguy@xyz.com’.

about:blank 76/82
11/9/22, 10:13 AM CyberQ - Lab Guide

48. Among the text strings mentioned here, ‘user_login’ denotes the username parameter. The value that corresponds to it is ‘bad_guy’.
This means the username of the malicious user is ‘bad_guy’. Similarly, ‘user-pass’ stands for password and its value is identified as
‘pass123’. We also find the value of ‘user_nicename’ to be ‘anonymous_hacker’ and that of ‘user_email’ to be ‘badguy@xyz.com’.

49. From the above observation, we can infer that the malicious user has used the following details: login name or username as bad_guy,
password as pass123, nicename as anonymous_hacker, and email ID as badguy@xyz.com.

50. Now scroll down in the window where we saw the malicious user details in the above screenshot; for a clearer view, expand it
horizontally by dragging the horizontal scroll bar to examine the log entries corresponding to the malicious user’s actions on the
website. The horizontal scroll bar will be available to you only when you click and drag the Hex/Text Divider line, that is, the margin
that divides the hexadecimal and text view sections.

Note: You may also shrink the lower pane of the application window for a clearer view of the artifacts.

51. Upon careful observation, we can notice that the attacker made a post with post_author ID: 125 on 14th June 2016 at 07:38:52
GMT. The post_content or the content of the post reads as It was so easy to hack into the web application. Never thought it
would be such easy to get into this!!! The post_title or post_name provided by the attacker was Never thought this would
happen.

Note: As we have determined previously, 125 is the user ID of the malicious user on the affected WordPress website.

about:blank 77/82
11/9/22, 10:13 AM CyberQ - Lab Guide

52. When you carefully scroll down, you will see that DELETE operations have been performed on the metadata of a user.

53. In the screenshot above, we can observe that the metadata pertaining to a user with umeta_id 55 (denotes the metadata ID of the
user) and a user with ID 124 has been removed from the wp_users table. From the previous examination performed in this lab, we can
deduce that the malicious user identified as bad_guy might have performed these DELETE operations on the affected WordPress
site.

about:blank 78/82
11/9/22, 10:13 AM CyberQ - Lab Guide

54. Similarly, if you scroll further down, you will also find a DELETE operation where the malicious user has deleted the metadata
pertaining to a post with meta ID 14 (denotes the metadata ID of the post) and an option by the name transient_doing_cron.

about:blank 79/82
11/9/22, 10:13 AM CyberQ - Lab Guide

55. If you want to save the retrieved information using the Hex Workshop Hex Editor application for further reference or investigation,
then click File from the menu bar, and then click Export…

about:blank 80/82
11/9/22, 10:13 AM CyberQ - Lab Guide

56. Export As window will now appear. Choose the location where you want to save the file, name it, and then click Save. Here, we are
saving the file to Desktop and naming it as Evidence collected from mysql-bin.000034.txt.

about:blank 81/82
11/9/22, 10:13 AM CyberQ - Lab Guide

57. The file will be exported to the chosen location as a .txt file, in which you will find all artifacts pertaining to the activities of the
attacker, as we had found in the Hex Workshop Hex Editor application.

Note: Ensure a .txt extension at the end of the file name so that it gets saved as a .txt file only.

58. Similarly, you may examine all log entries and retrieve information on various transactions performed by an attacker on a WordPress
website.

59. Close all open windows.

about:blank 82/82