Forensics Mode:
(Page 20 of 84)  < Prev  15 16 17 18 19 20 21 22 23 24 25  Next >
RE: Worm Origin 2005-10-26
Nevalainen, Eric (Eric Nevalainen AndersenCorp com)
Just for giggles, if you are doing any internet access logging, you may
want to check the activity of that machine on that day. It might be
interesting to correlate the URL history w. any proxy/firewall logs that
you are maintaing.

>Just my fast 2 cents:
>- Look for the URL history in seized machi

[ more ]  [ reply ]
Re: Worm Origin 2005-10-26
Marco Monicelli (marco monicelli marcegaglia com)
Here they are my 2 cents added to the 2 of Matteo:

- Most of AV do have a log file where any manual START or STOP is logged
but a skilled hacker knows that and can erase that, once he becomes
ADMINISTRATOR over that machine (SYSTEM privilegies work as well); for
this, just have a look at the help o

[ more ]  [ reply ]
RE: Worm Origin 2005-10-24
dave kleiman (dave isecureu com)

> Since Norton AV should have restricted the download itself
> (or at least the RUNNING OF virus) that implicitly admit user
> tampered with AV.
> I don't know (maybe someone more expert than me here) if
> there is such a thing as a Norton AV eventlog entry for
> manual STOP and RESTART of AV, but

[ more ]  [ reply ]
RE: Worm Origin 2005-10-24
frederic stonesifer us army mil

Joel,

If you know the virus and the filename...look for the filename in the index.dat
file of the Temporary Internet History Files. It should tell you the time and
date (encoded so just use an unencoder like
http://www.digital-detective.co.uk/freetools/decode.asp). The times and dates
are locat

[ more ]  [ reply ]
Re: Worm Origin 2005-10-23
Matteo G.P. Flora (lk lastknight com)
2005/10/23, Joel A. Folkerts <jfolkert (at) hiwaay (dot) net [email concealed]>:
> QUESTION
> Is there a definitive method to determine if the user started the local
> infection or was merely another victim in the infection. My theory is that
> she downloaded the virus from a hack website and manually began the
> infection. An

[ more ]  [ reply ]
Worm Origin 2005-10-23
Joel A. Folkerts (jfolkert hiwaay net)
List:

BACKGROUND
A user admitted to a confidential source she released a virus on her small
LAN. Before I was able to seize and image the user's machine, a local
sysadmin scanned the small LAN with NAV and found several machines were
infected with W32.Korgo.X
(http://securityresponse.symantec.com/

[ more ]  [ reply ]
Memorias Conferencia Internacional sobre Seguridad Informática 2005-10-21
Oscar Eduardo Ruiz Bermúdez (oscar ruiz internet-solutions com co)
Estimados,

Remito URL con las presentaciones del evento en referencia.

http://www.arcert.gov.ar/tc/cronograma_conf.html

Cordialmente,

Oscar Eduardo Ruiz Bermúdez
Director General
Internet Solutions
"The Information Security Experts"
www.internet-solutions.com.co
oscar.ruiz@internet-solutions

[ more ]  [ reply ]
Having trouble breaking partitions out of a raw image 2005-10-19
Croad Christopher D Ctr AFRL/IFOS (Christopher Croad ctr rl af mil) (5 replies)
I'm a little bit new to doing forensics, and I've run into something I
haven't seen before.

1) I created an 80Gig image of the entire drive using adepto (aka grab).
For purposes of this e-mail, the image is call image.dd.

2) Next, I wanted to break out the raw image into it's partitions, so I ran

[ more ]  [ reply ]
Re: Having trouble breaking partitions out of a raw image 2005-10-24
subscribe (subscribe crazytrain com) (1 replies)
Re: Having trouble breaking partitions out of a raw image 2005-10-27
Jonathan Glass (GM) (jonathan glass gmail com)
RE: Having trouble breaking partitions out of a raw image 2005-10-23
Chris Eagle (cseagle redshift com)
RE: Having trouble breaking partitions out of a raw image 2005-10-23
Gary Funck (gary intrepid com)
Re: Having trouble breaking partitions out of a raw image 2005-10-23
Randy Schrickel (randysch comcast net)
RE: Having trouble breaking partitions out of a raw image 2005-10-23
Mike Parkhurst (Mike Parkhurst samsys com)
attach & detach drives under Linux 2005-10-18
Simson Garfinkel (simsong eecs harvard edu) (3 replies)
As some of you know, I am developing a new drive imaging program. It
runs pretty well under FreeBSD and I'm trying to get it to work under
Linux.

One of the problems I'm having under Linux is the difficulty of
attaching and detaching IDE drives .(I've discovered that imaging
failing drives

[ more ]  [ reply ]
Re: attach & detach drives under Linux 2005-10-24
subscribe (subscribe crazytrain com)
Re: attach & detach drives under Linux 2005-10-23
Greg Freemyer (greg freemyer gmail com)
Re: attach & detach drives under Linux 2005-10-23
Tim (tim-forensics sentinelchicken org)
RE: Two Windows questions 2005-10-13
Greg Kelley (gkelley vestigeltd com)
Harlan,

You bring up an interesting point...

"a definitive resource...something that, say, a customer could use if
any of that customer's employees had to go to court and testify."

When I go to court and testify, I typically rely on 3 things:

1. Results of my test
2. Sworm affadavits
3. Generall

[ more ]  [ reply ]
RE: Two Windows questions 2005-10-10
dave kleiman (dave isecureu com)
Harlan,

In my courtroom experience, computer definitive resources are "mildly"
useful because of their lack of jury/court comprehensible terminology.
Example Brian Carriers' File System Forensics, is probably one of the most
comprehensive guides "for us" to dig into the file system.
However, if you

[ more ]  [ reply ]
New Tool Announcement: tcpxtract 2005-10-07
Nicholas Harbour (nicholasharbour yahoo com)
I'd like to formally announce my latest open-source
tool called tcpxtract.

http://tcpxtract.sf.net

tcpxtract is a tool for carving files out of network
traffic. You can think of it as the lovechild of
Foremost and Tcpdump. It also has some advantages
over driftnet and EtherPEG which I talk abo

[ more ]  [ reply ]
Re: real one player /intel signal processing library/ windows xp 2005-10-08
ulrik mail igerup nu
Yep, I have it on my Swedish XP Pro installation. Only happened after I downloaded the upgrade to Real player 10 via the "search for upgrade" in Realp Player 8. So the file must have been corrupted somewhere on the way, which seems unlikely. Realplayer 10 started complaining about NSP not found, cpu

[ more ]  [ reply ]
Re: Two Windows questions 2005-10-05
Harlan Carvey (keydet89 yahoo com)
Thomas,

Thanks for your response.

However, I was specifically asking for a definitive
resource...something that, say, a customer could use
if any of that customer's employees had to go to court
and testify.

While I greatly appreciate your response, and the
validation you've provided to other sour

[ more ]  [ reply ]
Network Investigations 3-day Workshop 2005-10-07
Eoghan Casey (eco digital-evidence net)
This seminar goes beyond computer forensics and discusses evidence
transfer on networks. You will learn how to preserve and analyze
evidence stored on and transmitted using networks. Team exercises and
instructor demonstrations will help you develop the skills to process
evidence on remote compu

[ more ]  [ reply ]
RE: Two Windows questions 2005-10-05
Greg Kelley (gkelley vestigeltd com) (2 replies)
Regarding question 2...

While not a definitive resource, considering everything I have read
about file dates there are only 4 dates kept for files. I would assume
that LastWriteTime would equate to the last time the file was modified.
ChangeTime would equate to the last time the file's entry in th

[ more ]  [ reply ]
RE: Two Windows questions 2005-10-05
Harlan Carvey (keydet89 yahoo com)
Re: Two Windows questions 2005-10-05
Thomas Jones (admin buddhalinux org)
HDA unreadable & NTFS partition with fatal errors ? 2005-09-19
Bénoni MARTIN (Benoni MARTIN libertis ga) (2 replies)
Hi list !

I'm currently doing auditing a hacked server (Win 2K3 SP 1) and something odd happends on a partition with dada (D:):

- Under Win 2K3 (after booting with it), the partition is visible and found as "free space", but no way to create a partition on it (fatal error occurs during the task).

[ more ]  [ reply ]
Re: HDA unreadable & NTFS partition with fatal errors ? 2005-09-26
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
RE: HDA unreadable & NTFS partition with fatal errors ? 2005-09-22
Mike Parkhurst (Mike Parkhurst samsys com)
(Page 20 of 84)  < Prev  15 16 17 18 19 20 21 22 23 24 25  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus