direct co...
Clear all direct connect

3 Posts
3 Users
0 Reactions
Posts: 17
Active Member
Topic starter

The suspect in my case self reported someone placed CP media on his computer while directly connected to the website  I generated an image file of the computer hard drive and processed it with AXIOM Process/Examine.  I noted Child Exploitive/Age difficult media, artifacts for, and the use of CCleaner.  What additional files should I be seeking that would confirm or refute the suspects story that someone else put the media on his computer?





Posted : 24/01/2022 9:27 pm
Posts: 21
Eminent Member

I would work on getting a solid timeline from your RP. 

Exactly what actions took place when the incident occurred. 

Did they get a pop up message that prompted them to call someone, did they click on a link, download anything as directed by who ever they were dealing with? 

I would focus the review for artifacts around that time frame. Does their story line up with what you see? 

Did you get a RAM capture by any chance? You can look at running processes and see what was going on. 

you could also look at SRUM and check for network usage from applications and see if by any chance you see anything related to  sometimes users have to run client applications to get people to remote in.


Also check windows events around that time. I think most these scammers may use web remote tools that may not use your standard 3389 port, but you can still look at what windows events tell you.


I would also research what other sites were being accessed around that time. I’m sure is the front but there may be some underlying tool/utility leveraged for the remote connection.


sorry I can’t give you a straight answer… just some ideas  


-Good Luck  

-The Nucc



Posted : 25/01/2022 10:57 pm
Posts: 1
New Member

Thanks for post

Posted : 02/02/2022 9:30 pm