should be interesting to know, if there is experience in winpcap forensics. Someone could have put it on two PC, intercepted something. And then deleted. I did the forensic copy on two pc.
In the first pc I only found the string programfile/winpcap in the possible target pc there are several entries. Can be only entries of the antivirus database?
bye thanks
I have to say up front…you're post is very confusing.
First off, how is finding a string indicative of a "rootkit"?
What would lead you to suspect that there's a "winpcap rootkit"? Could you explain what that is?
> "…if there is experience in winpcap forensics."
What is "winpcap forensics"?
> "Someone could have put it on two PC, intercepted something. And then deleted."
Sure. But to intercept something, they wouldn't have to install it on both systems, only one.
> "In the first pc I only found the string programfile/winpcap in the possible target pc there
> are several entries."
Where? How did you find them?
> "Can be only entries of the antivirus database?"
Sure. Maybe. You can call a file anything, so it's entirely possible that someone may have
changed the name of a malware file to "winpcap", or something similar.
It really sounds like you've already decided that the issue is a "winpcap rootkit", and you're trying
to fit the evidence to that hypothesis. I would suggest that that's probably the wrong way to go
about your analysis. If you were to provide some background on the incident and perhaps your
goals or what you were asked to determine, we could provide some advice as to the direction you
could take in your analysis in order to achieve those goals.
HTH
I have to say up front…you're post is very confusing.
First off, how is finding a string indicative of a "rootkit"?
What would lead you to suspect that there's a "winpcap rootkit"? Could you explain what that is?
> "…if there is experience in winpcap forensics."
What is "winpcap forensics"?
> "Someone could have put it on two PC, intercepted something. And then deleted."
Sure. But to intercept something, they wouldn't have to install it on both systems, only one.
> "In the first pc I only found the string programfile/winpcap in the possible target pc there
> are several entries."
Where? How did you find them?
> "Can be only entries of the antivirus database?"
Sure. Maybe. You can call a file anything, so it's entirely possible that someone may have
changed the name of a malware file to "winpcap", or something similar.
It really sounds like you've already decided that the issue is a "winpcap rootkit", and you're trying
to fit the evidence to that hypothesis. I would suggest that that's probably the wrong way to go
about your analysis. If you were to provide some background on the incident and perhaps your
goals or what you were asked to determine, we could provide some advice as to the direction you
could take in your analysis in order to achieve those goals.
HTH
I used xways, using keywords as wireshark, winpcap and others. Someone feels intercepted (also phone and other) and want to go deep.
thanks
It really sounds like you've already decided that the issue is a "winpcap rootkit", and you're trying
to fit the evidence to that hypothesis. I would suggest that that's probably the wrong way to go
about your analysis.
I agree. Unless the original poster can find a specific piece of malware on a drive that can be identified as a specific rootkit, you cannot say that it is a piece of mallicious code. That is jumping to conclusions and bad forensics.
Even if you by some way end up with a binary of the regular WinPCap library, it can be used for both good and bad purposes, and just because it can be used for bad purposes will never make it a rootkit.