Security Basics mailing list archives

Re: help with forensics on a desktop computer

From: H Carvey <keydet89 () yahoo com>
Date: 16 Nov 2004 20:04:46 -0000

In-Reply-To: <1100433041.854.1.camel@anathema>

xyberpix,

Install a keylogger on the machine, then you should be able to see if
anyone else gains access.


Perhaps you can specify a specific keylogger, as most that I am familiar with monitor keyboard interrupts...since the 
keyboard for a remote attacker isn't attached to the system, maybe you can specify a particular keylogger to use (by 
name and where to get it) that will monitor what's typed in over a remote connection.

The evidence for this they have gathered from Norton Tools


Have you looked at this evidence?  I'd start there.  I'd also try to find out from the user what sorts of symptoms they 
are seeing.  Too many admins simply accept that a system is infected w/ a virus b/c the user says so, without pursuing 
any troubleshooting or evidence collection of their own...and many times, this can be bad.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com

Current thread:

help with forensics on a desktop computer Undisclosed (Nov 12)
- Re: help with forensics on a desktop computer music2myear (Nov 15)
- RE: help with forensics on a desktop computer dave kleiman (Nov 15)
- Re: help with forensics on a desktop computer xyberpix (Nov 15)
- Re: help with forensics on a desktop computer Anthony J. Cogan (Nov 15)
- <Possible follow-ups>
- RE: help with forensics on a desktop computer Beauford, Jason (Nov 15)
- RE: help with forensics on a desktop computer adisegna (Nov 15)
- RE: help with forensics on a desktop computer Jeff Gercken (Nov 15)
- RE: help with forensics on a desktop computer Horn Michael (Nov 16)
  - Re: help with forensics on a desktop computer Josh Nerius (Nov 16)
- Re: help with forensics on a desktop computer H Carvey (Nov 16)