![]() exe's that are carved out through a tool like VirusTotal. This is really helpful in order to see how the attack actually occurred, and to run any. You might even want to open it up a little to get ALL of the traffic from the victim, because sometimes multiple websites are involved with the infection and/or subsequent outbound communication.Įither way, after you've narrowed it down, now you'd run it through Network Miner to carve out the actual artifacts - all of the HTML pages, the images, and code, etc. The snort (or any other IDS) alert will narrow down your victim (the system on your network) the attacker (the website that had the malicious code that infected your system) and the time frame.Īssuming you had some type of packet logger (Solera, moloch, or pcap-np, or heck there a lot) running you could use wireshark to take that huge packet capture and narrow it down to just the source/destination (victim/malicious website) and the time frame. a system on your network just got infected via some type of drive-by download or whatever. So lets say that signature is for known botnet traffic - i.e. Snort is like network-based anti-virus - it uses signatures to define "interesting" traffic and then will alert when that traffic passes by. Irrelvant submissions will be pruned in an effort towards tidiness. Vote based on the quality of the content. Topics include digital forensics, incident response, malware analysis, and more. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.
0 Comments
Leave a Reply. |