Security Basics mailing list archives
RE: help with forensics on a desktop computer
From: <adisegna () siscocorp com>
Date: Fri, 12 Nov 2004 15:50:31 -0500
For starters and to be a simplistic as possible install XP SP 2 on the machine. The firewall will block all access from outside. Also, what type of proof do you have that the box has been compromised. What does Norton Tools report? You can setup the operating system to catch the intrusion (if it is in fact from outside) without buying anything. What's the output from nbtstat -an? Check the services that are running and the directories they start in. Check the Registry keys (Run, RunOnce, RunOnceEx) to see if anything out of the ordinary show up. This is just basic stuff for you to test. However, there is no need to spend any money for a single machine with all the free tools available. Thanks AD -----Original Message----- From: Undisclosed [mailto:private () somewhere com] Sent: Thursday, November 11, 2004 12:33 PM To: Security Basics[List] Subject: help with forensics on a desktop computer [reply address not given due to client's instance on confidentiality] Ok heres the skinny: an XP box (home edition) the client feels that it has been compromised from remote. The evidence for this they have gathered from Norton Tools (I am unfamilar with any logging feature though I do not use Norton Tools). I disabled remote desktop support in services and they called me and said again there is evidence of access from remote. Now, the location of the computer in their house is in a small secured room (access doesnt happen from anyone except the client from there [that they know of!]. Yes others live in the house. Question is there any effective free or inexpensive (under $100) that monitors access both local and from remote. Something that can be installed via administrative account and not detected by anyone else using the computer? Or tell me if I am dreaming but can be run from a floppy or a CDROM rather than installed? If I am on the right track maybe something that puts a log on the A: drive. Also, Is there any software which anyone might have put on it to compromise it from remote? I am aware of PCAnywhere and remote assistance (now disabled). Treat me like I'm six years old. All comments and answers appreciated. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.792 / Virus Database: 536 - Release Date: 11/9/04
Current thread:
- help with forensics on a desktop computer Undisclosed (Nov 12)
- Re: help with forensics on a desktop computer music2myear (Nov 15)
- RE: help with forensics on a desktop computer dave kleiman (Nov 15)
- Re: help with forensics on a desktop computer xyberpix (Nov 15)
- Re: help with forensics on a desktop computer Anthony J. Cogan (Nov 15)
- <Possible follow-ups>
- RE: help with forensics on a desktop computer Beauford, Jason (Nov 15)
- RE: help with forensics on a desktop computer adisegna (Nov 15)
- RE: help with forensics on a desktop computer Jeff Gercken (Nov 15)
- RE: help with forensics on a desktop computer Horn Michael (Nov 16)
- Re: help with forensics on a desktop computer Josh Nerius (Nov 16)
- Re: help with forensics on a desktop computer H Carvey (Nov 16)