Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Light forensics
From: Dave Kleiman <dave () davekleiman com>
Date: Mon, 11 Jan 2010 14:40:06 -0600

Eduardo,

**This is not legal advice, and I am not an attorney, if you want competent legal advice suited to your needs, you 
should consult a qualified attorney in your area**

If you are unfamiliar with forensic techniques, you may do more harm than good attempting this on your own. You might, 
at the very least, perform this process under the guidance of an experienced person.  Especially if this may end up in 
court.

If you are unfamiliar with data recovery techniques, once again you may do more harm than good. I heard a lot of 
recommendations for software recovery products, however I did not hear anyone mention not to install them on the drive 
you are working on.

At the very least, you should make an image for preservation of the drive(s) in question, while it is properly 
connected to a write-blocking device.

If security event logging is enabled, it is not by default, there would be some entries under the Network Service user 
that would have registry keys in the description, however it does not show the IP address numbers.

A better approach would be if this is member of a domain, to parse the log files for that particular machine name log 
on/off events. Then you could simply see the source address and roughly, when it changed. For instance if shows the 
system logon from 20091010-20091121 source address as 192.168.1.1 then suddenly on 20091123 the source address is 
192.168.1.222, you have window of when it could have been changed.

The registry will only show the last time the IP address registry key was changed.


Respectfully,

Dave Kleiman - http://www.ComputerForensicExaminer.com - http://www.DigitalForensicExpert.com 

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Levenglick, Jeff
Sent: Thursday, January 07, 2010 08:44
To: Eduardo Sierra; pen-test () securityfocus com
Subject: RE: Light forensics

Eduardo,

I'm not sure there really is such a thing as 'light'. If you are just
looking to find out who deleted a file and get it back, then to me that
is not really true forensics. (people do this daily)

True forensics involves freezing hardware/disks for legal reasons...ect

If you just want to undelete a file, there are tons of tools out there.
(open source, hacker and commercial) Easiest thing is to search google
or yahoo.

One catch, if the file is on the pc and not on a network and someone has
already used the pc since the file was deleted, then your going to have
a very low percentage of getting the file back. 

Jeff


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Eduardo Sierra
Sent: January 05, 2010 9:09 AM
To: pen-test () securityfocus com
Subject: Light forensics

Hi,

We had a security incident, and i'm doing a "light" forensics.

Is there a log you can check to see IP Address Changes in a Windows XP
Box?
Any good free tool to undelete files?

Many thanks,

Eduardo Sierra

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]