Hello All,
I have a system where a user installed a password revealer tool. all those available on nirsoft.net. the machine did not have an AV on it as it was migrating from 1 av to another. once the new AV was installed scheduled scan did not happen and later on scheduled scan the tools were revealed.
upon asking user he says he downloaded it but did not use them !!!
How to make sure.
pl help
Does the application (not the installer) appear in any "last used" shortcuts?
When the application runs, does it create/modify any registry entries? (can you replicate it?)
Sounds like a Windows system…can you share the particular version of Windows?
Some possibilities
1. Prefetch files.
2. For GUI-based tools, check the UserAssist subkeys within the NTUSER.DAT
3. Look in the MUICache entries in the user's NTUSER.DAT
4. For Win7, you might find Jump Lists for the tool.
HTH
How to make sure.
Search for the name of the binary all over the disk (existing files as well as unallocated clusters). If you're lucky, you may find it – for example in an unrelated prefecth file, just because it happened to get started at just the right moment. Or, you'll find it in an event log for some reason.
One quick and dirty way is to get a copy of Sandboxie, set up an apporpriate sandbox, install the program in it, and then examine the sandbox change files (repeat for running an installed program, and uninstalling it as well). For application specific-files, this works fairly well. There is (or at least was) a utility to show differences between sandbox registry and real registry differences somewhere. After that you know what to look for.
Of course, registry creates/deletes are probably better caught with Procmon, but it may be a bit more of a bother to set up all that. (less quick and dirty …)
You could have a clean install of the OS in a VM and use the Sysinternals suite to monitor the activity of both installing and running the program. The program may create some unique files when it is first run, or change some settings in the registry. Once you have identified the files that show the program has ran you can look for the corresponding files on the host you are investigating.
However this method may take some time to setup and execute fully.
Try a HistEX (NetAnalysis from digital-detective.co.uk) carve for deleted local file access records, this may identify a user profile accessing the .exe file and give you a date and time of that access.
You may also find that if the user was browsing with IE, that they visited a web site from where they downloaded the .exe. If this fails to assist, try a carve for deleted lnk files or indeed run a keyword search for the name of the .exe and postulate from there with regard to any significant hit's.
The User Assist registry entry (http//
Failing that, you could perform a hash map analysis of the .exe and run a hash map analysis across your evidence file in order to identify sectors or clusters with identical hash values. This may be enough to show that although the .exe is no longer on the disk in a complete form, it is likely to have been at some stage as identical hash values of this kind are very very unlikely to be identified if the .exe had not been present at some point.
Good luck!