Forensics Mode:
(Page 19 of 84)  < Prev  14 15 16 17 18 19 20 21 22 23 24  Next >
Re: Why using fport if netstat -b does much more ? 2005-12-05
ring0 dev null
Likely because it was only introduced in Windows XP and the texts to which you refer were written prior to XP.

ring0

[ more ]  [ reply ]
Undetectable backdoor / Thread 2 2005-12-06
Costin Manda (manda ecrmeurope com)

Thanks to all for your replies. I will try as soon as possible the rootkit
detection (as soon as I find out what it is :) ) I got a lot of good links
and I will try them when I get home.

I will clarify some things because I got a lot of emails asking me the same
things.
1. Yes, I did try a fire

[ more ]  [ reply ]
RE: Undetectable backdoor! help 2005-12-05
Anderson, Kelly (kjanders umich edu)
Did you try RootkitRevealer? www.sysinternals.com.

You may also be able to see/stop the winlogin.exe process by using
Process Explorer, another great sysinternals tool.

If you've reinstalled and been re-infected, then you need to look very
carefully at all your software (is it all legit?) and

[ more ]  [ reply ]
RE: Why using fport if netstat -b does much more ? 2005-12-05
Hodd, Kevin (Kevin Hodd IMPSolutions com)

Netstat -b only works with versions of Windows XP and greater (i.e. not
Windows 2000/98/95 etc)
-----Original Message-----
From: contrera (at) eig.unige (dot) ech [email concealed] [mailto:contrera (at) eig.unige (dot) ech [email concealed]]
Sent: December 1, 2005 2:27 PM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Why using fport if netstat -b does much mo

[ more ]  [ reply ]
Re: Undetectable backdoor! help 2005-12-05
Slawek (slawek-c peoplepc com)
You can probably do more in-depth analysis about what is going on under the hood using the RootKitRevealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
Have you done this?

Some of Mark Russinovich's blog entries talk about techniques you can use to reveal more information needed to ne

[ more ]  [ reply ]
Undetectable backdoor! help 2005-12-02
manda ecrmeurope com (2 replies)
Recently I have been infected with SpySheriff spyware. I removed everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated it to the day.
However, I've found out that at random intervals, my comput

[ more ]  [ reply ]
Re: Undetectable backdoor! help 2005-12-05
Daniel Horning (dan horning americandigitalservices com)
Re: Undetectable backdoor! help 2005-12-05
Technica Forensis (forensis technica gmail com)
Why using fport if netstat -b does much more ? 2005-12-01
contrera eig unige ech (5 replies)
hi,

i've just noticed that netstat as an option (-b) that allow to list port and the processes which are binded to.
fport (-foundstone free utility-) allow just to see processes and local ports.

Netstat -b allow to see processes (and dlls involved in the TCP/IP connection), local ports and remote

[ more ]  [ reply ]
Re: Why using fport if netstat -b does much more ? 2005-12-06
Matthew Pepe (mtpepe mac com)
Re: Why using fport if netstat -b does much more ? 2005-12-05
Simson Garfinkel (simsong eecs harvard edu)
Re: Why using fport if netstat -b does much more ? 2005-12-05
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Why using fport if netstat -b does much more ? 2005-12-05
Gary Kessler (kumquat sover net)
Need for Registry references for forensic analysis 2005-11-26
keydet89 yahoo com
I'm curious as to what sort of information analysts and in particular LEOs are looking for in a Windows Registry reference.

Sticking to just 2K+ (including XP and 2K3), I'd like to know:

1. What are LEOs and analysts looking for? What format is easiest to use? Spreadsheet? Database?

2. What

[ more ]  [ reply ]
Re: Worm Origin 2005-11-16
lists kernoelpanic at
If you got a firewall. You could check the logs for connection requests from a LAN ip to a LAN ip.
Many worms try to send a copy of themself to the whole subnet of the infected victim.
for example 192.168.13.23 255.255.255.0 is infected
the worm tries to connect to all computers from 192.168.0-255.1

[ more ]  [ reply ]
Mounting Sparc with Veritas enterprise admin service partitions / vxsvc 2005-11-10
l1st3r gmx net (1 replies)
Hi

We have a Solaris Sparc fibre channel disk from a hacked machine with a strange partitioning scheme. It was part of a 2-disk RAID 1 mirror and was running vxsvc / Veritas enterprise administrator service before the disk was removed. I've got details of the mount points and partitions below. Ther

[ more ]  [ reply ]
Creation of a new mailing list for french-speaking computer forensic practitionners 2005-11-08
LERTI - David Billard (David Billard lerti fr)
Dear all,

The "forensics" list hosted by Security Focus is an invaluable place to get
answers for tricky problems related to computer forensics. However, the
English language is not always the mother tongue for some people and
although they can easily read english, they are hindered to ask question

[ more ]  [ reply ]
Re: Access times and backups 2005-11-04
jnemeth victoria tc ca (John Nemeth)
On Mar 26, 9:02am, Greg Freemyer wrote:
}
} I've been testing access times today. This is not related to an
} active case, just curiosity.
}
} I found that "robocopy /mir" and tar both modify the last access time.
} Also, on my Linux fileserver I use xfsdump to make my nightly backups
} and it m

[ more ]  [ reply ]
Access times and backups 2005-11-03
Greg Freemyer (greg freemyer gmail com) (1 replies)
I've been testing access times today. This is not related to an
active case, just curiosity.

I found that "robocopy /mir" and tar both modify the last access time.
Also, on my Linux fileserver I use xfsdump to make my nightly backups
and it modifies access times.

I have not tested virus scanning

[ more ]  [ reply ]
Re: Access times and backups 2005-11-04
subscribe (subscribe crazytrain com)
RE: EEEEEEEEEEE - sanitization? 2005-11-02
Arnold, Robert P (Rob Arnold nasa gov)
Simson,
I have a disk wiped with Ontrack Data Eraser that exhibits a similar
behaviour as to what you described. I prepared it over a year ago using
Ontrack for a training class. I am not sure if I know the version number
but it could be the program used to wipe the drive you are referencing.

It pl

[ more ]  [ reply ]
EEEEEEEEEEE - sanitization? 2005-10-31
Simson Garfinkel (simsong eecs harvard edu) (2 replies)
I have found a most interesting drive on the secondary market.

Every block of the drive contains the following:

10 digit decimal number with the block number.
A timestamp
The capital letter "E" filled to the end of the block.

It looks to me like this drive was properly sanitized with some tool.

[ more ]  [ reply ]
Re: EEEEEEEEEEE - sanitization? 2005-11-03
Jason Upchurch (church cntweb net) (1 replies)
Re: EEEEEEEEEEE - sanitization? 2005-11-03
Simson Garfinkel (simsong eecs harvard edu) (1 replies)
Re: EEEEEEEEEEE - sanitization? 2005-11-04
Christopher Blume (cblume cubision com) (1 replies)
Re: EEEEEEEEEEE - sanitization? 2005-11-07
John H. Sawyer (jsawyer ufl edu)
Re: EEEEEEEEEEE - sanitization? 2005-11-02
Bob Bishop (rb gid co uk)
Re: Worm Origin 2005-10-26
Michele Vetturi (michele vetturi iritaly org)
You can make a try looking for:

- AV logs, comparing infection timestamps (are your clocks synchronized? Can
you trust such logs?) and finding out the first system compromised. Maybe
this isn't the suspect's workstation...

- Net logs, looking for traffic toward VX-zines...

- Evidences of the

[ more ]  [ reply ]
(Page 19 of 84)  < Prev  14 15 16 17 18 19 20 21 22 23 24  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus