Does the Ophcrack CD work in other PC's still?  Can you boot the PC you are having trouble with from another CD, say Ubuntu or Knoppix?

I listened to the podcast and followed through with the presentation.  I can see why people rave about Toms courses now.  Very Enjoyable.

I did a blog post on malware hunting ( http://synjunkie.blogspot.com/2007/11/hunting-malware-in-windows.html ) a few months back but compared to Tom's stuff it looks like I need to go back to the drawing board.

Right. Missed those.

I need to read more carefully before posting I guess.

From the description of the tool it doesn't sound very different from what it's possible to acheive with the U3 switchblade or hacksaw (see hak.5 forums).  obviously the tools within those kits are aimed at the attackers and are already available and in use.  The forensic tools can easily be ported over from a incident response toolkit that is also available.

I would suggest that this tool is nothing new and once again the defenders are playing catchup.

wouldn't it depend on how the USB drive was set up. Surely if the partition with the tools on was set up like the CD partition (read only) on the Hacksaw (U3) for example , and the other partition was to log the results of running the tools. It wouldn't be that dissimilar to running tools from a CD.

I know a registry key would be created for the USB device but the first responder  or LEO would be documenting the process and tools in use anyway so that would explain that.

are there any proxy server logs or web filter logs that you can cross reference the sites through. that may help you place the individual at the PC at the time.

Whats also useful if you do have logs is looking at what else the  IP did at about the same time.  did the IP visit a myspace page or a gmail account at the same time? if so can you tie some activity to an individual.

One tool I would like to suggest is RegRipper by Harlan Carvey. Its a brand new tool and I'm yet to give it a good run-through yet, but it might help with the visited Urls. Look on sourceforge for it.  And please give Harlan feedback on bugs etc...

Regards

SynJunkie

Thanks.

It's a weird coincidence that data recovery was something I was focusing on in that recent blog post.

Hi,

This post is a bit old so 'm not sure if it still relevant to you, but a nice tool to confirm your details of shared hosting is the "hostnames on IP" under Nameserver on www.serversniff.net

Regards

SynJunkie

Hi Loic

i was just browsing the forums and i saw your post so I thought I would register as i might be able to help.

If I had the same problem as you i would do the following.

1. I would boot into a distro such as backtrack or any other that has DD.  using DD I would create a image of the disk onto the external drive. 

dd if=/dev/hda of=/mnt/usb/hdd.img  (or whatever the external disk is mounted as).


2. once I have that image i would use a tool such as foremost to run through the image and pull alot of the files out.

foremost -v -o /home/loic/dump /mnt/usb/hdd.img

This should pull many filetypes out and place them in folders within a folder called dump (create this folder before you start) in your home drive.


Or you could boot into backtrack, mount the external drive as say /mnt/usb and then run foremost direct to that without creating the image.

foremost -v -o /mnt/usb/dump /dev/hda

This would be quicker than ceating the image first obviously.

I have just put a post up on my blog about simple data recovery at http://synjunkie.blogspot.com

I hope this might have been of use to you.