Hi Helix will give you a start http://www.e-fense.com/helix/
cheers Ivan On 5 Apr 2006 16:23:33 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hey list!!! > > My kids left their puter on while I was away on vacation and some > loverly person managed to gain access to the puter. Unfortunately I was on > vacation so had all of my systems off except the one the kids turned > back on, so my sniffer was off as well. > > I don't know much from the forensics side of the house as I mainly > perform audits and such, so was hoping I could get some insight as where to > start and tools to use to find everything that was done to the > computer. > > My AV software picked up a trojan, but figure it was after the fact and > is still resident on the system. It almost appears that they accessed > hotmail and picked up files from a mailbox. (sure wish my sniffer would > have been on :( )The local Symantec firewall is being bypassed and most > of the services won't start. Term Svcs among others has been set to > manual but starts up automatically with Windows (I had it disabled before) > and will not allow me to stop the service. I keep the system up to date > with patches and AV signatures and use 25 char passwords with > fingerprint scanners for the kids to use, so am not certain what they used to > exploit, but given time anything can be broken. My fingerprint scanner > doesn;t show any failed logon attempts while we were gone but the > security logs show numerous failed attempts by all of the accounts so assuming > they are trying to remotely access the PC. I'm thinking they gained > access to the account that was currently logged in as it shows th > at particular account's priviledges were escalated in the log files > several times then shortly after it shows the system account making > changes to the system. > > Anyway, if somone could recommend where to start and what tools I > should use, I guess this will begin my forensics career and OJT... > > Much appreciated :) >
