Network Forensics

Here is a sample chapter from “Computer Forensics: Incident Response Essentials“, entitled “Tracking an Offender“. Although the material is five years old, it still applies.

To fill in the gaps, here’s a few bits:

  • While the message ID for email is unique, it may or may not be random. It may be worthwhile to know more about the systems handling the mail you’re investigating. (Hint: Message ID’s generated by Sendmail are based on process number and time of day.)
  • In addition to NetBIOS (for Unix systems, use nbtscan), it’s likely to be worthwhile to run other tools, like Nmap, to get a better idea of the services running on a machine. This is an act of last resort though as accessing a suspect system may foul any legal proceedings. Then again, if the system is out of your reach…

In any case, it’s been five years since the book was published. I expect that it will be updated shortly (I hope).

Botnet list

I cannot vouch for the accuracy, but here is a list of IP’s that I believe to be part of a unique botnet. Reason: an entries in the web server logfile that indicate a scripting error common to all of the IP’s.

Please be careful in handling the list, there’s likely to be innocent bystanders in there also. At the moment, I don’t have time to do the research.

Still here…

Just in case anyone’s wondering, I’m still around. The change in jobs required a bit of reorganization on my part. That along with the PowerStorm incident has kept me quite busy for a few weeks. I should be back up to speed shortly.