Jarle, I'd try running bulk_extractor against the memory dump and inspecting the PCAP that it dumps. I'd also try using yarascan for the IP address with both the default ASCII and using the --wide for UNICODE.
I'd also use Volatility's strings (AOMF pages 514-516) to run through translated strings to dig deeper if you haven't already on any other ioc's like that suspect account you already know about. Best, JG On Thu, Jun 9, 2016 at 6:39 AM, Jarle Thorsen <[email protected]> wrote: > I'm analyzing a Vista SP2 system that was compromised via a Remote Desktop > login (somehow the culprit had access to correct login credentials). > > Security.evtx only contains information about this single illegal login > (and there is no indications that the eventlog was cleared) > > The strange thing is that carving though memory for network packets (using > CapLoader) I find packets showing RDP traffic to additional IPs, not only > the one found in Security.evtx > > Any help in trying to put some contex around these additional IPs found in > memory, using volatility, or traditional disk forensics is highly > appreciated! > > (The machine had only been running for about a week before the intrusion, > so anything found in memory should in theory be backed up by information in > eventlog) > > Jarle Thorsen > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
