PaulDotCom mailing list archives

Re: Forensics

From: Andrew Case <andrew () digitalforensicssolutions com>
Date: Thu, 28 Apr 2011 14:09:24 -0500

That is a pretty open-ended question..

The easiest way would be to find some artifact of the malware (the
executable, files written, logs, etc), and get the creation time of
those files. Then you would using something like Autopsy to create a
timeline of disk activity and filter it around the creation time of
the malware pieces. From there you should be able to get some
indication of what was going on (for instance the browser cache and
history files being updated a few seconds before the malware
appeared).

This works fairly well for basic malware that simply gains execution
on the machine and then starts dropping / executing files.

On Thu, Apr 28, 2011 at 1:56 PM, Michael Lubinski
<michael.lubinski () gmail com> wrote:

When people ask me, "how did i get infected?"
What would you guys recommend as a good forensics tool to help unmask the
avenue of infection?
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Andrew Case
Senior Security Analyst @ Digital Forensics Solutions
http://www.digitalforensicssolutions.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Forensics Michael Lubinski (Apr 28)
- Re: Forensics Andrew Case (Apr 28)
- Re: Forensics Josh More (Apr 28)
  - Re: Forensics Michael Lubinski (Apr 28)
    - Re: Forensics Ken Pryor (Apr 28)
    - Re: Forensics Michael Lubinski (Apr 28)
    - Re: Forensics gold flake (Apr 29)
- Re: Forensics Todd Haverkos (Apr 28)