Penetration Testing mailing list archives
RE: Light forensics
From: Dave Kleiman <dave () davekleiman com>
Date: Mon, 11 Jan 2010 14:40:06 -0600
Eduardo, **This is not legal advice, and I am not an attorney, if you want competent legal advice suited to your needs, you should consult a qualified attorney in your area** If you are unfamiliar with forensic techniques, you may do more harm than good attempting this on your own. You might, at the very least, perform this process under the guidance of an experienced person. Especially if this may end up in court. If you are unfamiliar with data recovery techniques, once again you may do more harm than good. I heard a lot of recommendations for software recovery products, however I did not hear anyone mention not to install them on the drive you are working on. At the very least, you should make an image for preservation of the drive(s) in question, while it is properly connected to a write-blocking device. If security event logging is enabled, it is not by default, there would be some entries under the Network Service user that would have registry keys in the description, however it does not show the IP address numbers. A better approach would be if this is member of a domain, to parse the log files for that particular machine name log on/off events. Then you could simply see the source address and roughly, when it changed. For instance if shows the system logon from 20091010-20091121 source address as 192.168.1.1 then suddenly on 20091123 the source address is 192.168.1.222, you have window of when it could have been changed. The registry will only show the last time the IP address registry key was changed. Respectfully, Dave Kleiman - http://www.ComputerForensicExaminer.com - http://www.DigitalForensicExpert.com 4371 Northlake Blvd #314 Palm Beach Gardens, FL 33410 561.310.8801 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff Sent: Thursday, January 07, 2010 08:44 To: Eduardo Sierra; pen-test () securityfocus com Subject: RE: Light forensics Eduardo, I'm not sure there really is such a thing as 'light'. If you are just looking to find out who deleted a file and get it back, then to me that is not really true forensics. (people do this daily) True forensics involves freezing hardware/disks for legal reasons...ect If you just want to undelete a file, there are tons of tools out there. (open source, hacker and commercial) Easiest thing is to search google or yahoo. One catch, if the file is on the pc and not on a network and someone has already used the pc since the file was deleted, then your going to have a very low percentage of getting the file back. Jeff -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Eduardo Sierra Sent: January 05, 2010 9:09 AM To: pen-test () securityfocus com Subject: Light forensics Hi, We had a security incident, and i'm doing a "light" forensics. Is there a log you can check to see IP Address Changes in a Windows XP Box? Any good free tool to undelete files? Many thanks, Eduardo Sierra ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ----------------------------------------- This e-mail message is private and may contain confidential or privileged information. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Light forensics Eduardo Sierra (Jan 06)
- Re: Light forensics Alonso Caballero Quezada / ReYDeS (Jan 11)
- Re: Light forensics Wim Remes (Jan 11)
- Re: Light forensics Tom Ritter (Jan 11)
- Re: Light forensics Adrian Puente Z. (Jan 11)
- Re: Light forensics H. Kurth Bemis (Jan 11)
- RE: Light forensics Levenglick, Jeff (Jan 11)
- RE: Light forensics Dave Kleiman (Jan 11)
- Re: Light forensics Felipe Martins (Jan 18)
- RE: Light forensics Boyd, Chad (Jan 18)
- Re: Light forensics Adel Abushaev (Jan 11)