I noticed a file creation date/time of Febru(approximately 1 year before the recorded compromise). STEP #12: Searched for "badfile.sys" from step #11. The file was purported to be "Trojan.Rootkit-3070". Email searches may reveal embedded links, malicious attachments, and/or phishing expeditions.įINDINGS : AV Scan returned positive results, hitting on "badfile.sys" (again, file name is changed for confidentiality).The registry key containing information on the typed URLs is HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This will help determine if the malicious site was visited on purpose, via a hyperlink ( perhaps in an email or from another site), or maybe a redirect of some sort. This registry key will reveal which sites the user physically "typed" into the address bar.STEP #7: Examined the registry for typed URLs.
These cookies presented additional URLs for which to examine. I also noticed cookies being created just minutes prior to the badsite visits. STEP #6: Examined cookies for a more in-depth look at the user's surfing habits.įINDINGS: Noticed cookies for not only but I did a "Whois" lookup on badsite 2.com and saw it was on the same network as. Seeing these visits begs the question, "Why" was the site visited in the first place (i.e. Running a comprehensive search for Internet artifacts will extract domains/URLs that have been visited.įINDINGS: Noticed visits to Noted the dates and times of the visits.STEP #5: Ran a comprehensive internet search. Reviewed the registry and log files for any network shares to which the system may have connected.įINDINGS: Noticed a Yahoo search being conducted immediately prior to the visit to.LNK files (and associated target file) accessed via USB devices. Analyzed the registry and system log files (particularly setupapi.log) to ascertain USB devices that had been connected.Located cookies that appeared to be in the Google Analytic format.Made note of the user account associated with the visits.Made note of suspicious URLs, cookies, and web downloads prior to visiting.Imported the index.dat files into Web Historian for analysis.Exported the data files associated with the above visits ( this turned out to be 4 index.dat files).Ran a comprehensive internet search using EnCase.Searched for suspicious emails around the time of the compromise using both EnCase and FTK.
0 kommentar(er)
