Michael Lubinski <[email protected]> writes: > When people ask me, "how did i get infected?" > > What would you guys recommend as a good forensics tool to help unmask the > avenue of infection?
Indeed it's a simple and common question that takes a ton of resources to answer. As other posters have said, without a full forensic analysis and corroborating network logs and vulnerability history of the endpoint, and perhaps browser cache and history info fro the browser, it's gonna be hard to know with any degree of certainty. For workstation infections, my money is usually on "oh, probably a third party web plugin that no one told you should and must keep updated to even have a prayer." See also http://www.mozilla.com/en-US/plugincheck/ https://browsercheck.qualys.com/ Or... someone was too gullible to question whether fedex and ups really would send me a package notification in a zip attachment. *face palm* Or there were links on facebook they couldn't resist. But... assuming you have time to do things on this front for them out of curiousity or magnanimity, a super timeline can be really handy http://log2timeline.net/ (the accompanying sans gold paper is quite good too) in lining up browser histories, event logs, and AV logs would likely be helpful. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
