Thanks for sharing this information already Naik, I just wanted to share where can we apply this process.
This will be really helpful in processess like auditing the users system and / or during network security testing, compliance audits with respect to international standards, etc. How?, during the above processes, it would be essential to know the user activity with network or internet in atleast past 2hrs when the users might already have cleared their favorites (links) of access to various environments before any auditor comes to them or cleared his cookies / history / etc. Finally, combining the above procedure with few other information caches (arp, netstat, nbtstat, recently opened documents) we would know whether the user / network under audit has done something unexpected or something which he is not intented to do at corporate. Regards Sandeep Thakur On Sat, Apr 3, 2010 at 5:55 PM, Srinivas Naik <[email protected]> wrote: > Good Evening, > > Since, the web site of SATYAM got diverted to a web page, representaing " > This site is on SALE!!!!!". Pleople now focused more on such DNS poisioning > attacks. > > The below procedure is a part of investigating the DNS Cache poisioning > Attacks. > > So, according to the SANS methodology for collecting forensic information > in vivo (one of the most prestigious). > The order of volatility of digital evidence is as follows: > 1) CPU, cache and register contents > 2) routing table, ARP table, process table, kernel statistics > 3) Memory > 4) temporary files, swap space > 5) Information on hard disks > 6) Information recorded remotely > 7) Data stored in storage devices > > The more volatile is the evidence, you must be retrieved to > prevent spoilage. > > To retrieve this cache can use the ipconfig command as follows: > > C:\>ipconfig /displaydns > > The output format is as follows: > > abctest.net > ---------------------------------------- > ---------------------------------------- > Name registration. : abctest.net : Abctest.net > Record Type. . . : 1 1 > Lifespan. . . . . : 84627 : 84,627 > Length of data. . . : 4 4 > Section. . . . . . . . . . . . . : Response > A record (host). . . : 10.0.0.150 : 10.0.0.150 > > > At first glance we can see the usefulness of this information. It allows > us to determine that DNS names are resolved lately they have been introduced > in the cache. > That is, we can deduce quite accurately what sites have been connected > from the computer in the last hours or minutes (depending on the expiration > time of each record). > > This information can be very interesting if not long after the incident to > investigate, but remember that this information is highly volatile and > disappears quickly. > > To calculate the time which created the entry in the cache have to do a > simple calculation: Get the expiry time of registration and deduct the > remaining lifetime. > The difference will be the time that has passed since registration was > introduced in the cache. > > In this example: > > C: \> nslookup-type = A-debug abctest.net | findstr ttl > Non-authoritative answer: > ttl = 27338 (7 hours 35 mins 38 secs) ttl = 27,338 (7 hours 35 mins 38 > secs) > ttl = 86400 (1 day) <- Revocation of registration > > > We get the following calculation: > 86,400 to 84,627 = 1773 -> 30 minutes ago that > created the entry in the cache. > > You can automate this process for a summary of all entries that exist in > the cache and to obtain an approximate timeline of the recent > DNS activity on the computer (and from this deduce the network activity). > > > Thanks & Regards, > Srinivas Naik > > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
