That is a pretty open-ended question.. The easiest way would be to find some artifact of the malware (the executable, files written, logs, etc), and get the creation time of those files. Then you would using something like Autopsy to create a timeline of disk activity and filter it around the creation time of the malware pieces. From there you should be able to get some indication of what was going on (for instance the browser cache and history files being updated a few seconds before the malware appeared).
This works fairly well for basic malware that simply gains execution on the machine and then starts dropping / executing files. On Thu, Apr 28, 2011 at 1:56 PM, Michael Lubinski <[email protected]> wrote: > When people ask me, "how did i get infected?" > What would you guys recommend as a good forensics tool to help unmask the > avenue of infection? > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Andrew Case Senior Security Analyst @ Digital Forensics Solutions http://www.digitalforensicssolutions.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
