Re: Forensics

[Todd Haverkos <infosec () haverkos com>]

Michael Lubinski <michael.lubinski () gmail com> writes:

> When people ask me, "how did i get infected?"
>
> What would you guys recommend as a good forensics tool to help unmask the
> avenue of infection?

Indeed it's a simple and common question that takes a ton of resources
to answer.

As other posters have said, without a full forensic analysis and
corroborating network logs and vulnerability history of the endpoint,
and perhaps browser cache and history info fro the browser, it's gonna
be hard to know with any degree of certainty. 

For workstation infections, my money is usually on "oh, probably a
third party web plugin that no one told you should and must keep
updated to even have a prayer."

See also 
http://www.mozilla.com/en-US/plugincheck/
https://browsercheck.qualys.com/

Or... someone was too gullible to question whether fedex and ups
really would send me a package notification in a zip attachment.
*face palm*   Or there were links on facebook they couldn't resist. 

But... assuming you have time to do things on this front for them out
of curiousity or magnanimity, a super timeline can be really handy
http://log2timeline.net/  (the accompanying sans gold paper is quite
good too) in lining up browser histories,  event logs, and AV logs 
would likely be helpful. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com