Re: Incident investigation methodologies

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/09/04

  • Next message: Harlan Carvey: "RE: Incident investigation methodologies"
    Date: Wed, 9 Jun 2004 11:15:26 -0700 (PDT)
    To: Barry Fitzgerald <bkfsec@sdf.lonestar.org>
    
    

    > Computer science is just that: science, not
    > mysticism.

    Agreed. Computers are built on 1s and 0s. To someone
    who knows only how to run 'netstat' and open the Event
    Viewer and Task Manager, tracking down a simple Trojan
    may seem to be an art. Making "logical mappings"
    between the output of netstat and what you see in the
    Task Manager an "art"...no, wait, I take that
    back...it's foolish.

    The fact remains that in most cases (never say never,
    right?), one can find out what's going on with a
    system simply by collecting and analyzing data. The
    problem is that most folks either don't know what
    information to look for or how to look for it, or are
    simply too lazy. It's easier to say "forensics is an
    art, not a science" than it is to actually *do* or
    *learn* something new...

    > However, I think that the "paranoia" argument is
    > largely dependant on
    > the audience of the argument. If I say to you (or,
    > vice versa) that a
    > black hat COULD trojan a copy of netstat.exe, it
    > doesn't have the same
    > connotation than if I said that to an end user.

    Agreed. If you'd said that to me, I'd want to know
    the path to the copy of netstat.exe what was
    "trojaned" as well as the contents of the PATH
    statement on the system. I'd then want to know if the
    system is Win2K or above, and if so, if there's any
    evidence that WFP was disabled.

    Some Winadmins, on the other hand, would simply run
    with the information that netstat.exe can be trojaned.


  • Next message: Harlan Carvey: "RE: Incident investigation methodologies"

    Relevant Pages

    • Re: Help required - - DESPERATELY!!!
      ... trojan zbot was found on both. ... tried to boot up using my Novatech supplied rescue disc. ... I then tried the Acronis bootable disc which partly ... I managed to get to Task Manager and although it ...
      (uk.people.silversurfers)
    • Re: Help required - - DESPERATELY!!!
      ... trojan zbot was found on both. ... tried to boot up using my Novatech supplied rescue disc. ... I then tried the Acronis bootable disc which partly ... I managed to get to Task Manager and although it showed a dozen ...
      (uk.people.silversurfers)
    • Re: Foreign language characters in some XP dialogues
      ... other cases, wmiprvse.exe is a virus, spyware, trojan or worm! ... This does not show up under Task Manager, ... >> strange foreign language, and even though I've disabled MSN ...
      (microsoft.public.windowsxp.general)
    • Re: Listen to port?
      ... at a command prompt type in netstat -ano ... the task manager and match up the tasks with the netstat listing. ... >>employee thinking the boss is snooping or the boss wanting to snoop? ...
      (microsoft.public.windows.server.sbs)
    • RE: trojan - removal problems
      ... currently listening on 27665 is trojan trinoo_master. ... (UDP idle ... rebooting netstat -tlp shows udp ports open and listening on 8265, ... executable image on disk that was loaded as the process image into the ...
      (Ubuntu)