Hi Everyone!
I know similar questions have been asked, but I'd like to get a little more detailed here and maybe forge a reference for other users.
Specifically, when a [generic] compromise is suspected on a Windows system, what specific artifacts would you collect to aid in the verification as to whether or not the system was compromised? I'm not referring to data collected via live IR tools such as collecting the running processes, active TCP/UDP connections or imaging the memory, but files resident on the disk which can be analyzed "at-leisure".
For example
- Registry Hives (software, system, user, etc.)
- AV logs (located on client or server)
- Pre-fetch files
- Event Logs
And how about Internet history files (if a compromise occurred as a result of visiting a malicious website) or e-mail data stores (if a piece of malware was sent via e-mail). Or what about other application-specific logs, such as for IIS, Apache, SQL, etc.
Who'd like to contribute next?
Jeff
I think you hit it right on the mark with your prelim steps.
I guess it depends what you know about the incident, but in most cases knowing the general time of infection is huge as you can focus on files created/modified during that time frame (focusing on exe's, dll's, pdf's and office docs). Also, knowing the time of infection helps you parse through the registry as there are a lot of areas in the registry that provide auto start functionality for the malware.
Running a virus scan on the data is helpful, programs like trend micro and virustotal are free and up-to-date.
Unfortunately a lot of good information is found from memory, I usually look for the hibernation file which can be processed as live memory using the free program volatility.
As with everything it varies case by case. Some computers have programs like IIS Desktop installed which actually keeps network packet data and is good to look for.
I think internet history as you mentioned is a must for analysis. If you see a filename in the url, then that is something to look closer into.
That's my two cents, but that's all it is. I am sure there are a lot more artifacts that I have not even considered.
i'd agree most things covered, might be worth identifying locations for log files such as those for IIS (as they seem to be stored in odd locations), ftp etc etc, Some firewall logs if they are around, could be interesting at times, There's a whole host of items that could be looked at… but as jgrosfelt mentioned, the more information you have beforehand the easier the investigation will be.
At last, one might want to look at logs generated by Internet enabled applications, such as video and music players, and even some non-media tools access the Internet for version and update checks. They often update their registry entries with "last check" time & date.