Re: help with forensics on a desktop computer
From: H Carvey (keydet89_at_yahoo.com)
Date: 16 Nov 2004 20:04:46 -0000 To: email@example.com('binary' encoding is not supported, stored as-is) In-Reply-To: <1100433041.854.1.camel@anathema>
>Install a keylogger on the machine, then you should be able to see if
>anyone else gains access.
Perhaps you can specify a specific keylogger, as most that I am familiar with monitor keyboard interrupts...since the keyboard for a remote attacker isn't attached to the system, maybe you can specify a particular keylogger to use (by name and where to get it) that will monitor what's typed in over a remote connection.
>> The evidence for this they have gathered from Norton Tools
Have you looked at this evidence? I'd start there. I'd also try to find out from the user what sorts of symptoms they are seeing. Too many admins simply accept that a system is infected w/ a virus b/c the user says so, without pursuing any troubleshooting or evidence collection of their own...and many times, this can be bad.
"Windows Forensics and Incident Recovery"