gilly_uk wrote:
Excuse my ignorance but what is WFAT 3e and the forensic scanner?
WFAT 3e - http://syngress.com/digital-forensics/Windows-Forensic-Analysis-Toolkit-Third-Edition/
Forensic Scanner - http://windowsir.blogspot.com/2012/10/motivations-behind-forensic-scanner.html
Where to get it: http://windowsir.blogspot.com/2012/11/forensic-scanner-has-moved.html
gilly_uk wrote:
I do believe that I need to start asking the user very specifically what happened but even that can be meaningless.
Always a good start. I use a triage checklist of 10 questions (I don't ask those that don't apply) so I don't miss anything.
gilly_uk wrote:
It just feels like one of those processes that by the end of it I would never be able to 100% say for certain their system is clean or dirty and that actually maybe buy a new hard drive and reinstall.It depends. I have seen where the user would have a "feeling" and nothing definitive they could point to, and I'd find all kinds of stuff on their system. I've also had instances where an HR Rep swore that someone had hacked her system, when what we found out *really* happened is that she'd printed a sensitive document, and left it sitting on the printer while she went to lunch. <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" />
The key is to _have_ a comprehensive process, one that you add to and continues to grow over time. I got tired of using spreadsheets and began to implement plugins for the Forensic Scanner. What you see in the download is just a few of the plugins I've written that help me detect artifacts of malware.
↧