('binary' encoding is not supported, stored as-is) In-Reply-To: <CLEIKGPJLDCCMEJGIPJCAEEDCAAA.mtpepe@code-monks.com> > You have to know >what and why you are doing those things ahead of time, >as well as what the consequences are of each action. >Having a defined action plan that you have used in the >past is quite essential to success during the litigation >process. You're absolutely right. If your methodology states that you will collect the volatile information from the machine...process listing, network connections, command history in an open prompt window, etc...and/or you have a reason for collecting it that you can justify and have *documented*, then doing so can help your case greatly. Other items, such as queries for some of those 'boobytraps', should also be included. I would suggest a program that queries certain Registry keys and locations in the file system for entries that are initiated when the machine boots or a user logs in. This program should send it's output to STDOUT so that it's easily piped out through a socket and off of the 'victim' machine itself. Perhaps some other minor checks would be necessary. For example, many systems have MSOffice installed. Few people notice that a small program is dumped into the startup directory for "All Users", which is part of Office. Someone designing a trojan could simply overwrite the .exe file that the shortcut points to... But again, it's very important that the investigator knows exactly what such things do to a system. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Dec 01 2001 - 15:51:33 PST