[Dshield] Forensics and hard drives

Ackley, Alex aackley at epmgpc.com
Mon Apr 9 19:11:09 GMT 2007

You can add the drive as the drive for a virtual server within Microsoft virtual Server 2005 R2 (and I'm sure the same is the case with VMWare).  Then boot the virtual server using that drive as it's main.  Make sure the virtual network adapter only routes internally to the virtual environment.  Then you can run all of your tools on it as it is in production but without any method of actually getting out.


From: list-bounces at lists.dshield.org on behalf of Kenneth Coney
Sent: Mon 4/9/2007 2:51 PM
To: list at lists.dshield.org
Subject: [Dshield] Forensics and hard drives

Okay, a little off topic I know, but maybe someone here has an idea.

I am examining an XP hard drive the owner gave me to recover deleted
files and determine if they have been hacked.  I sector cloned it,
configured the clone as a slave drive,, and have done the file recovery,
but I am a little stumped on where to go from here.  The partitions seem
normal.  I find no trace of a folder called \windows\internet logs, nor
any recognizable firewall logs.  I have searched for several types
(i.e., Symantec, ZoneAlarm, etc.) but find nothing recognizable as a
firewall log.

I know that if this was a live drive, I would be running net stat, or
something similar, but it is a slaved disk, so the normal tools won't
work.   A scan with (current) anti virus software found nothing.  How do
I determine by saved/recovered file examination the last state of the
processes, or whether or not any firewall was even in place?  I am told
an unauthorized person had access to the PC for a day or so, and it is
believed they configured it to allow a remote access, then later hacked
in and deleted important data files.  This may be correct as the files
were suddenly deleted (recovered) and the modifications occurred at a
time when no one was in the building, but how do I prove it was done
remotely without configuring the hard drive to boot?  What file should I
be examining?

A search of stored cookies and Internet Explorer logs found nothing


SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list