Re: Incident investigation methodologies
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: Wed, 9 Jun 2004 11:15:26 -0700 (PDT) To: Barry Fitzgerald <firstname.lastname@example.org>
> Computer science is just that: science, not
Agreed. Computers are built on 1s and 0s. To someone
who knows only how to run 'netstat' and open the Event
Viewer and Task Manager, tracking down a simple Trojan
may seem to be an art. Making "logical mappings"
between the output of netstat and what you see in the
Task Manager an "art"...no, wait, I take that
The fact remains that in most cases (never say never,
right?), one can find out what's going on with a
system simply by collecting and analyzing data. The
problem is that most folks either don't know what
information to look for or how to look for it, or are
simply too lazy. It's easier to say "forensics is an
art, not a science" than it is to actually *do* or
*learn* something new...
> However, I think that the "paranoia" argument is
> largely dependant on
> the audience of the argument. If I say to you (or,
> vice versa) that a
> black hat COULD trojan a copy of netstat.exe, it
> doesn't have the same
> connotation than if I said that to an end user.
Agreed. If you'd said that to me, I'd want to know
the path to the copy of netstat.exe what was
"trojaned" as well as the contents of the PATH
statement on the system. I'd then want to know if the
system is Win2K or above, and if so, if there's any
evidence that WFP was disabled.
Some Winadmins, on the other hand, would simply run
with the information that netstat.exe can be trojaned.