The cost of computer forensics for a linux box?

cubicR

New Member
Joined
Dec 6, 2020
Messages
7
Reaction score
5
Credits
55
Hi all, my Debian box that is used for Web and Graphic design has been hacked. Some of my work (unreleased) has been floating around the net. I am thinking of getting it analysed by a computer forensic investigator. Any idea how much this may cost me? I am in Australia/NZ region. The box has 10TB storage in RAID. All updates were regularly applied. Is it worth it? I wonder.
 


G'day @cubicR from an Aussie, and welcome to linux.org, albeit under trying circumstances
:)

I am not a security guru, but I hope you get some helpful input.

Cheers

Chris Turner
wizardfromoz
 
Google has displayed a snippet when I typed 'computer forensic rates".

From our experience, the typical forensic analysis of modern computer costs somewhere in the $5,000 to $15,000 range. Multiple hard drives, RAID, encryption and broad scope of investigation usually increase this cost by 30%.

Rates - Computer Forensic Expert
https://www.elvidence.com.au/home/rates/

It is so freaking expensive that made me think of totally reinstalling my OS, changing all passwords and hope for the best. Perhaps I should switch to a hardened Linux OS. Any suggestions on these are appreciated.
 
I couldn't say anything on the forensic side of things.
But regarding this:
All updates were regularly applied.

I'm assuming that your Debian machine was either a server, or had some kind of server software running on it?
Keeping software up to date is only part of the battle in keeping your server/internet facing services secure.

There are a number of other factors that need to be addressed - like ensuring that any running services are configured securely and that their configurations are KEPT secure.
Configuring securely isn't a fire and forget thing. You configure services securely when you first set them up. But you also need to keep checking the goings on with that piece of software. At some point, there may be some new features requiring additional configuration settings that are recommended to keep the bad guys out.

Also there are things like - enabling your firewall, enabling selinux, removing unnecessary services, disabling remote ssh login using username and password and using crypyographic keys instead. Disabling root login via ssh. Installing something like fail2ban and setting it up to automatically block an IP after a set number of failed login attempts. Setting up some kind of intrusion detection system that will alert you if the system has been altered/compromised.

And those are just a few suggestions off the top of my head. I'm not even a sys-admin/server-guy.
I'm sure @Rob, @f33dm3bits and some of the other sys-admin types here can suggest additional courses of action to keep your machine secure when you re-install and set everything up again.

What kind of setup was this Debian PC? What services did you have running on it? Web server? SSH?
 
I couldn't say anything on the forensic side of things.
But regarding this:

Also there are things like - enabling your firewall, enabling selinux, removing unnecessary services, disabling remote ssh login using username and password and using crypyographic keys instead. Disabling root login via ssh. Installing something like fail2ban and setting it up to automatically block an IP after a set number of failed login attempts. Setting up some kind of intrusion detection system that will alert you if the system has been altered/compromised.

And those are just a few suggestions off the top of my head. I'm not even a sys-admin/server-guy.
I'm sure @Rob, @f33dm3bits and some of the other sys-admin types here can suggest additional courses of action to keep your machine secure when you re-install and set everything up again.

What kind of setup was this Debian PC? What services did you have running on it? Web server? SSH?
You already mentioned most of them. Firewall, selinux, only keybased logins, as for disabling the unnecessary services I always install my server systems with a minimum install which is already the minimum needed for a system to run. As for the ssh port don't make it accessible from all of the internet and if you do have it run on a custom port, if it's only needed from specific ip's then use a whitelist firewall setup for it. For everything on the system I usually tend to have the policy give whatever needs access to the something the least amount of privileges needed, that goes for firewall, selinux, users, applications etc. For web-servers you can use mod-security, monitor your logs with fail2ban which blocks a source ip if someone tries it too many times and if someone does it multiple times block them for a longer period of time, you can setup aide, logwatch and you can setup audit rules to see what and who accessed certain files and directories and have some type of e-mail alerting for it. You can also forward your logs to a remote syslog server so that if you think your local logs have been tampered with you can use the logs stored on that remote system. That's the most of it, I have probably forgotten something here and there but it's not something you configure on a daily basis.
 
Last edited:
It is so freaking expensive that made me think of totally reinstalling my OS, changing all passwords and hope for the best. Perhaps I should switch to a hardened Linux OS. Any suggestions on these are appreciated.

That doesn't close the hole they used to get in the last time.

What all were you running on the box? As in, were you running a web server with WordPress? If so, what control panel did you use - if any? Virtualmin? VestaCP? Was this just a box in your home? Did your router have port-forwarding enabled? Does your router keep logs? How did you find out that you were hacked? Are you sure that it was a remote hack and not someone with physical access to the server?

There are a ton of similar questions - but if you answer them all you'll figure out how the hack most likely happened. There are a lot of similar questions - all of which will help you narrow it down.

In order to resolve the issue, you need to make sure they can't get back in.

I assume you've already taken the system offline. Depending on how much you care, take it offline and leave it powered on so that anything left in the current RAM remains there.

If it's of vital importance, you can try your local police department, asking them to refer you to their in-house forensic specialist. If they don't have one, the larger law enforcement community will. They may not be able to prosecute, but they may well investigate.

Of course, this means you lose control of your system for the duration of said investigation and that can be quite a hit. You'd lose access if you paid for a private company, so that remains the same.
 
Thanks all for the pointers and hints. I am back to the drawing board. Looks like I have a lot of learning and planning ahead of me ;-)
 


Top