after a year and a half of IT support, im finally getting into the good stuff, namely security (will also be doing forensics internally).
so heres the deal the company i work for is a financial discount broker, which means we have clients logging into platforms (platforms arent on our side, but are through a third party, so we have limited access) to trade. now the company is growing quickly and as such is becoming a bigger target. we are becoming a big enough threat that security is now becoming a main issue ( always was, just now we will be focusing more on clients side stuff).
so after an incident involving a breached account ( not bruteforce or anything, just person knew the login and password, which probably means keylogger on his/her machine, or inside job) we want to start doing a scan of the victims computer to grab all neccessary data to see if we can get any clue as to wether or not his computer was broken into or had a virus or something running in the background (cant do full autopsies as of yet, but pushing for it for clients that will agree).
so we need something the client can run on there side, a script. that will grab vital data ( processes, OS version, programs installed…. would like mem dump but not possible as they need to send info back in an email)
now in school i created one of these using multiple tools and a script, but i want to know if there is a all in one script or program that the client can run that will grab all this information. any help would be great thanks.
james
and yes the client will have full knowledge of what the script will be doing and will get there permission first.
I think you're really going about this in the wrong way. I've dealt with several cases such as this, where all corporate systems were examined and none found to be compromised, and the only remaining question was whether or not the home user's system was compromised. In some cases where LE is involved, the home user's system has been found to be compromised.
So…if there truly is fraud going on, then LE would be the way to go with this.
You should consider checking out my book, "Windows Forensic Analysis", if you're looking for methodologies for collecting and analyzing data. There's a chapter on each…
we know its not internal, in all likelyhood he has something installed on his computer, were just looking to get an idea of whats running on his computer so we can inform him of a potential problem.
so what probably happened is the client has a keylogger or something else on his computer, and copied what he was typeing when he logged into the platform. so we just wanna get an idea of whats happening on his computer.
we know why it happened, simple pump and dump hack, but just want to investigate a bit more and see if his computer is potentially compromised.
we know its not internal, in all likelyhood he has something installed on his computer, were just looking to get an idea of whats running on his computer so we can inform him of a potential problem.
I understand completely…like I said, I've done multiple investigations like this. However, if you run something or send him something to run, and something happens on his system, guess who gets blamed. Also, if there is fraudulent activity going on in the guy's account, and you can show the logs of that activity (ie, login with no failed logins, from an IP address other than the 'normal' range the customer comes from, etc.), then it's pretty clear to everyone that there's a "potential problem".
so what probably happened is the client has a keylogger or something else on his computer, and copied what he was typeing when he logged into the platform. so we just wanna get an idea of whats happening on his computer.
we know why it happened, simple pump and dump hack, but just want to investigate a bit more and see if his computer is potentially compromised.
Sure, we already discussed all of that. For Windows systems on the home user's end, I suggest taking a look at my book.
H
we know there is a potential problem, thats why we want to get basic info on the guys computer. and a script thats main job is to grab processes running is not going to mess anything up, if it does then the guy has such infected computer thats its best that it gets wiped anyways. and the clients not going to hand over his computer( would be like your bank asking for your computer to investigate, ).
we know there was fradulent activity, and we know it came from outside ip address. we know it was a pump and dump scam ( you should have seen the jump of the stock involved, so this was obviously a coordinated scam)
we are just trying to get some basic info about the clients computer simple list of whats running, when was the last time computer was updated, what antivirus and what was last time it was updated. so just really basic stuff. just so we can give this guy a couple suggestions. as i really dont have the time to sit down on the phone with him and go thorugh everything
and thanks for the suggestion of your book, but read enough books about forensics, went through enough schooling ( 3 years in computer forensics), just lookin for the name of a tool, used to have it but lost in through the years. (know i dont know everything, but this is pretty basic stuff and just need to know the name of a script)
Gryphon, if I'm understanding your problem correctly, maybe you could create your client a CD with a copy of
(This is ignoring all the issues of malware hiding from userland programs, blah blah blah -) )
Don't know of any script that will do everything you want and am not sure of your exact circumstances, but you could examine running processes and connections using pstools from the command line if you don't want to leave much of a trace. If that's not such an issue this came up on the first page of a Google search
Both are free. Maybe they could be of some help?