PaulDotCom mailing list archives

Re: Forensics

From: Michael Lubinski <michael.lubinski () gmail com>
Date: Thu, 28 Apr 2011 17:02:24 -0500

I definitely appreciate all the information. Currently our explanation is
something along the lines of; email attachments, flash, java, stupid user,
you stood no chance.. sort of thing. I was just looking into some
information to move beyond this point.

Because we cant stop it when we dont know how it happened... even if it is
*face palm* stupid user syndrom.

Thanks again.

On Thu, Apr 28, 2011 at 2:59 PM, Ken Pryor <kdpryor () gmail com> wrote:

I would echo what Andrew said. A timeline may not prove something beyond
all doubt, but it can help strongly infer what happened. You can use
Autopsy, as Andrew said, or there are ways of creating a timeline from the
command line using the Sleuth Kit tools (which Autopsy uses as well). You
can bring in more detail to a "super" timeline using the Sleuth Kit,
Log2timeline and regtime.pl by Harlan Carvey. I've used this method before
to help figure out the means and activity of malware.

You can read how to create the super timeline at
http://computer-forensics.sans.org/blog/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/although
 that particular article was brought over from the old version of
the blog and didn't translate over very well.

Ken


On Thu, Apr 28, 2011 at 2:22 PM, Michael Lubinski <
michael.lubinski () gmail com> wrote:

I got quite a chuckle out of a few of them, thanks.


On Thu, Apr 28, 2011 at 2:17 PM, Josh More <jmore () starmind org> wrote:

I don't think you'll find one.  Unless the infected system is set up with
an appropriate level of auditing and there are network logs to compare
against, the important data will be lost.

Here are some questions.  If they say "yes" to any of them, stop asking
questions, assume that that's the vector and take corrective action.  This
will work well for you in something like 90% of these situations and fail
catastrophically in the other 10%.  Identifying which is which is left as an
exercise to the reader.  ;)

* Is the user running as a local administrator?
* Is the system missing the most recent service pack?
* Is the system missing any security patches?
* Is the system running an older version of Adobe Reader?
* Is the system running an older version of Adobe Flash?
* Is the system running an older version of Oracle (or Sun) Java?
* Is the system running an older version of Mozilla Firefox, Google
Chrome or Opera?
* Is the system's firewall off?
* Can you download the files from www.eicar.org?
* Can you browse to porn sites?
* Can you browse gambling sites?
* If you plug a USB drive with an autorun file on it, does it run?
* Did the user anger the wrong people on the Internet?
* Is the user unlucky?

-Josh More


On Thu, Apr 28, 2011 at 1:56 PM, Michael Lubinski <
michael.lubinski () gmail com> wrote:

When people ask me, "how did i get infected?"

What would you guys recommend as a good forensics tool to help unmask
the avenue of infection?

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Forensics Michael Lubinski (Apr 28)
- Re: Forensics Andrew Case (Apr 28)
- Re: Forensics Josh More (Apr 28)
  - Re: Forensics Michael Lubinski (Apr 28)
    - Re: Forensics Ken Pryor (Apr 28)
    - Re: Forensics Michael Lubinski (Apr 28)
    - Re: Forensics gold flake (Apr 29)
- Re: Forensics Todd Haverkos (Apr 28)