RE: help with forensics on a desktop computer

["Beauford, Jason" <jbeauford () EightInOnePet com>]

Your question is not well stated. I am figuring you are looking to catch
the bad guy here? You want to monitor access to and from the PC at the
person's house? There are so many keyloggers around that would do the
trick. They'll write a file discretely to the HD. By the way, do you
have a router in place at home? If not, you'll have MAJOR problems,
especially if there was no ADMIN password set. Anyone could have
connected to your registry remotely, enabled Remote Desktop (amongst
other things), and connected at some off-peak time ie. 3:00 am. At which
point you're toast. A router or firewall would have prevented the
initial connection.
To identify the offending IP, I would think that a good thing to do
would be to toss a HUB between your Cable/DSL modem and your PC. Plug in
your PC to 1 port on the HUB and then hook up another PC running some
sort of packet sniffing software, ie. SNORT, WINDUP/ TCPDUMP or
Ethereal. From there you can log ALL packets going in and out of your
machine. There is a nice document on creating a receive-only cable here:
http://www.dggomez.arrakis.es/secinf/roc/roc.pdf to be truly cautious.
(GOOD THREAD
http://www.theadamsfamily.net/~erek/snort/ro_cable_and_hubs.txt )
You probably don't want to allow the connections to the remote site to
continue, so you could set up a honeypot or do egress filtering with any
of the numerous firewalls out there, whether PC or Linux Based. Devil
Linux, Coyote Linux are both floppy distros. Boot and Run type setups.
If you have an old PC lying around, put in two nics, drop it after the
Cable/DSL modem and before the hub and you have an instant firewall.

Was this any help?
JMB
-----Original Message-----
From: Undisclosed [mailto:private () somewhere com] 
Sent: Thursday, November 11, 2004 12:33 PM
To: Security Basics[List]
Subject: help with forensics on a desktop computer

[reply address not given due to client's instance on confidentiality]
Ok heres the skinny:
an XP box (home edition) the client feels that it has been compromised
from remote. The evidence for this they have gathered from Norton Tools
(I am unfamilar with any logging feature though I do not use Norton
Tools). I disabled remote desktop support in services and they called me
and said again there is evidence of access from remote. Now, the
location of the computer in their house is in a small secured room
(access doesnt happen from anyone except the client from there [that
they know of!]. Yes others live in the house.
Question is there any effective free or inexpensive (under $100) that
monitors access both local and from remote. Something that can be
installed via administrative account and not detected by anyone else
using the computer? Or tell me if I am dreaming but can be run from a
floppy or a CDROM rather than installed? If I am on the right track
maybe something that puts a log on the A: drive.
Also, Is there any software which anyone might have put on it to
compromise it from remote? I am aware of PCAnywhere and remote
assistance (now disabled).
Treat me like I'm six years old. All comments and answers appreciated.



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.792 / Virus Database: 536 - Release Date: 11/9/04