[Dshield] Forensics and hard drives

Darren Spruell phatbuckett at gmail.com
Mon Apr 16 13:30:55 GMT 2007


On 4/16/07, Peter Stendahl-Juvonen <peter.stendahl-juvonen at welho.com> wrote:
> >> Surely Windows keeps an internal record of
> >> connections with foreign computers somewhere, but in which file?

I don't know that I'd go very far with that assumption. In terms of
"connections", the only utility I'm aware of that would have that
capability would be perhaps Windows Firewall, and perhaps at that only
if it has been explicitly configured to log connections from the local
machine to any destination. Secondly, I'm unsure if it has an
application-contextual logging capability, or if it is only socket
aware and capable of tracking by the source/destination address/ports
tuples.

If you have the ability to do so, an excellent tool for auditing these
types of activities at the network perimeter is Argus
(http://www.qosient.com/argus/), which functions as a sniffer of sorts
and keeps very lean records of the data flows (and some attributes of
them) in a manner loosely similar to Netflow. What makes it shine is
the ability to mine historical auditing data out of it and see the
kind of information it sounds like you want; if positioned at the
network perimeter, you can gather this information for any internal
hosts' outbound connections to the Internet.

DS


More information about the list mailing list