[Dshield] Forensics and hard drives

Kenneth Coney superc at visuallink.com
Mon Apr 9 18:51:34 GMT 2007

Okay, a little off topic I know, but maybe someone here has an idea.

I am examining an XP hard drive the owner gave me to recover deleted 
files and determine if they have been hacked.  I sector cloned it, 
configured the clone as a slave drive,, and have done the file recovery, 
but I am a little stumped on where to go from here.  The partitions seem 
normal.  I find no trace of a folder called \windows\internet logs, nor 
any recognizable firewall logs.  I have searched for several types 
(i.e., Symantec, ZoneAlarm, etc.) but find nothing recognizable as a 
firewall log. 

I know that if this was a live drive, I would be running net stat, or 
something similar, but it is a slaved disk, so the normal tools won't 
work.   A scan with (current) anti virus software found nothing.  How do 
I determine by saved/recovered file examination the last state of the 
processes, or whether or not any firewall was even in place?  I am told 
an unauthorized person had access to the PC for a day or so, and it is 
believed they configured it to allow a remote access, then later hacked 
in and deleted important data files.  This may be correct as the files 
were suddenly deleted (recovered) and the modifications occurred at a 
time when no one was in the building, but how do I prove it was done 
remotely without configuring the hard drive to boot?  What file should I 
be examining? 

A search of stored cookies and Internet Explorer logs found nothing 

More information about the list mailing list