Security Basics mailing list archives

RE: help with forensics on a desktop computer

From: Horn Michael <Michael.Horn () morganplc com>
Date: Tue, 16 Nov 2004 08:14:07 -0500

Couldn't you use nmap to see if any ports are open that shouldn't be?  By
doing this you should be able to tell what ports are open and if they our
being used to get into it.

        -----Original Message-----
        From:   Anthony J. Cogan [SMTP:anthony.cogan () thinkunix com]
        Sent:   Friday, November 12, 2004 4:02 PM
        To:     Undisclosed
        Cc:     Security Basics[List]
        Subject:        Re: help with forensics on a desktop computer

        Checkout SpecterCNE at http://www.eblaster.com/CNE.html

        Undisclosed wrote:

        >[reply address not given due to client's instance on
confidentiality]
        >
        >Ok heres the skinny:
        >an XP box (home edition) the client feels that it has been
compromised from
        >remote.
        >The evidence for this they have gathered from Norton Tools (I am
unfamilar
        >with any
        >logging feature though I do not use Norton Tools). I disabled
remote desktop
        >support
        >in services and they called me and said again there is evidence of
access
        >from remote.
        >Now, the location of the computer in their house is in a small
secured room
        >(access
        >doesnt happen  from anyone except the client from there [that they
know
        >of!]. Yes others
        >live in the house.
        >
        >Question is there any effective free or inexpensive (under $100)
that
        >monitors access
        >both local and from remote. Something that can be installed via
        >administrative account
        >and not detected by anyone else using the computer? Or tell me if I
am
        >dreaming but can be
        >run from a floppy or a CDROM rather than installed? If I am on the
right
        >track maybe
        >something that puts a log on the A: drive.
        >
        >Also, Is there any software which anyone might have put on it to
compromise
        >it from remote?
        >I am aware of PCAnywhere and remote assistance (now disabled).
        >
        >Treat me like I'm six years old. All comments and answers
appreciated.
        >
        >
        >
        >
        >---
        >Outgoing mail is certified Virus Free.
        >Checked by AVG anti-virus system (http://www.grisoft.com).
        >Version: 6.0.792 / Virus Database: 536 - Release Date: 11/9/04
        >  
        >


        
______________________________________________________________________
        This email has been scanned by the MessageLabs Email Security
System.
        For more information please visit http://www.messagelabs.com/email 
        
______________________________________________________________________

Current thread:

help with forensics on a desktop computer Undisclosed (Nov 12)
- Re: help with forensics on a desktop computer music2myear (Nov 15)
- RE: help with forensics on a desktop computer dave kleiman (Nov 15)
- Re: help with forensics on a desktop computer xyberpix (Nov 15)
- Re: help with forensics on a desktop computer Anthony J. Cogan (Nov 15)
- <Possible follow-ups>
- RE: help with forensics on a desktop computer Beauford, Jason (Nov 15)
- RE: help with forensics on a desktop computer adisegna (Nov 15)
- RE: help with forensics on a desktop computer Jeff Gercken (Nov 15)
- RE: help with forensics on a desktop computer Horn Michael (Nov 16)
  - Re: help with forensics on a desktop computer Josh Nerius (Nov 16)
- Re: help with forensics on a desktop computer H Carvey (Nov 16)