I definitely appreciate all the information. Currently our explanation is something along the lines of; email attachments, flash, java, stupid user, you stood no chance.. sort of thing. I was just looking into some information to move beyond this point.
Because we cant stop it when we dont know how it happened... even if it is *face palm* stupid user syndrom. Thanks again. On Thu, Apr 28, 2011 at 2:59 PM, Ken Pryor <[email protected]> wrote: > I would echo what Andrew said. A timeline may not prove something beyond > all doubt, but it can help strongly infer what happened. You can use > Autopsy, as Andrew said, or there are ways of creating a timeline from the > command line using the Sleuth Kit tools (which Autopsy uses as well). You > can bring in more detail to a "super" timeline using the Sleuth Kit, > Log2timeline and regtime.pl by Harlan Carvey. I've used this method before > to help figure out the means and activity of malware. > > You can read how to create the super timeline at > http://computer-forensics.sans.org/blog/2010/03/19/digital-forensic-sifting-super-timeline-analysis-and-creation/although > that particular article was brought over from the old version of > the blog and didn't translate over very well. > > Ken > > > On Thu, Apr 28, 2011 at 2:22 PM, Michael Lubinski < > [email protected]> wrote: > >> I got quite a chuckle out of a few of them, thanks. >> >> >> On Thu, Apr 28, 2011 at 2:17 PM, Josh More <[email protected]> wrote: >> >>> I don't think you'll find one. Unless the infected system is set up with >>> an appropriate level of auditing and there are network logs to compare >>> against, the important data will be lost. >>> >>> Here are some questions. If they say "yes" to any of them, stop asking >>> questions, assume that that's the vector and take corrective action. This >>> will work well for you in something like 90% of these situations and fail >>> catastrophically in the other 10%. Identifying which is which is left as an >>> exercise to the reader. ;) >>> >>> * Is the user running as a local administrator? >>> * Is the system missing the most recent service pack? >>> * Is the system missing any security patches? >>> * Is the system running an older version of Adobe Reader? >>> * Is the system running an older version of Adobe Flash? >>> * Is the system running an older version of Oracle (or Sun) Java? >>> * Is the system running an older version of Mozilla Firefox, Google >>> Chrome or Opera? >>> * Is the system's firewall off? >>> * Can you download the files from www.eicar.org? >>> * Can you browse to porn sites? >>> * Can you browse gambling sites? >>> * If you plug a USB drive with an autorun file on it, does it run? >>> * Did the user anger the wrong people on the Internet? >>> * Is the user unlucky? >>> >>> -Josh More >>> >>> >>> On Thu, Apr 28, 2011 at 1:56 PM, Michael Lubinski < >>> [email protected]> wrote: >>> >>>> When people ask me, "how did i get infected?" >>>> >>>> What would you guys recommend as a good forensics tool to help unmask >>>> the avenue of infection? >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
