I tried this a couple of months ago, and got no responses. I agree that the INFO files and .evt files are a great place to start. The .evt files can be opened and even exported to a text format for correlation and analysis. Depending upon the type of investigation you're conducting, you will also want to consider: 1. Volatile information, such as running processes, the states of services, network connections and shares, etc...stuff that can disappear or be reset when the system is rebooted. 2. Registry key values, as well as the LastWrite times from Registry keys. 3. MAC times from the files on the system. 4. File signature analysis a la EnCase. All of the above can be easily implemented in Perl. Other things you may look for, depending on what's on the system: - contents of the Recent folder in their profile. - contents of Registry keys that contain similar info as the Recent folder. - contents of Registry keys where trojans 'hide'. - IRC or AIM logs. - logs from wsftp, or similar applications. - email files...Eudora and Netscape keep the email in flat ASCII files. - temp files I'd like to help with your list. You can contact me at keydet89at_private, if you so desire. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:11:39 PDT