PaulDotCom mailing list archives
Re: Forensics
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 28 Apr 2011 15:09:58 -0500
Michael Lubinski <michael.lubinski () gmail com> writes:
When people ask me, "how did i get infected?" What would you guys recommend as a good forensics tool to help unmask the avenue of infection?
Indeed it's a simple and common question that takes a ton of resources to answer. As other posters have said, without a full forensic analysis and corroborating network logs and vulnerability history of the endpoint, and perhaps browser cache and history info fro the browser, it's gonna be hard to know with any degree of certainty. For workstation infections, my money is usually on "oh, probably a third party web plugin that no one told you should and must keep updated to even have a prayer." See also http://www.mozilla.com/en-US/plugincheck/ https://browsercheck.qualys.com/ Or... someone was too gullible to question whether fedex and ups really would send me a package notification in a zip attachment. *face palm* Or there were links on facebook they couldn't resist. But... assuming you have time to do things on this front for them out of curiousity or magnanimity, a super timeline can be really handy http://log2timeline.net/ (the accompanying sans gold paper is quite good too) in lining up browser histories, event logs, and AV logs would likely be helpful. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Forensics Michael Lubinski (Apr 28)
- Re: Forensics Andrew Case (Apr 28)
- Re: Forensics Josh More (Apr 28)
- Re: Forensics Michael Lubinski (Apr 28)
- Re: Forensics Ken Pryor (Apr 28)
- Re: Forensics Michael Lubinski (Apr 28)
- Re: Forensics gold flake (Apr 29)
- Re: Forensics Michael Lubinski (Apr 28)