Post-mortem investi...
 
Notifications
Clear all

Post-mortem investigation specifics

3 Posts
2 Users
0 Likes
199 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Over on the SecurityFocus Incidents list in the thread regarding cuebot infections, a respondant made the following statement

"One other possibility is that the attacker went straight through the
firewall using an atypical packet……. unlikely, but should be placed
on an all-inclusive roster of post-mortem investigations."

Since this thread involves Windows systems, and this is an area of interest for me…and b/c I do forensics investigations…I'm very interested in specifics regarding this sort of thing.

Let's assume that an "atypical packet" was used to breach a host-based, software firewall (ie, XP SP2's firewall, or something else)…where would one look in a post-mortem investigation?

Of coure my first thought would be the log files. What about other locations?

I've tried contacting the author of the post several times and haven't heard back.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 26/08/2005 6:24 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Harlan,
can you post a link to the archive?
In my experiences Windows isn't going to tell you anything useful about an atypical packet other than what flags were used.
The only places to look would be in your IDS logs, Router Logs(either at ISP or your edge), Argus logs if you run it, or a firewall. Even then, most of those products don't capture the entire packet payload so you'd be hard pressed to identify an "atypical" packet.
Now, if you suspect that a specific product contained a flaw that could be exploited by said packet, you would have to start experimenting with packet crafting tools.

 
Posted : 26/08/2005 6:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

can you post a link to the archive?

Sorry, I was just at the site and kept getting the "database server is down" error message.

However, it's the Incidents list at SecurityFocus.com…easy enough to get to and review once the server is back up.

The actual message I was referring to is over on the Neohapsis archive of the Incidents list, however
http//archives.neohapsis.com/archives/incidents/2005-08/0047.html

In my experiences Windows isn't going to tell you anything useful about an atypical packet other than what flags were used.

Same here. Which is why I'm trying to find out if (a) the author has some information that may be useful to the community, or (b) this is another "I'm drunk/hungover/haven't slept in three days" post.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 26/08/2005 8:56 pm
Share: