Wednesday, August 16, 2006

Artifacts

I attended an excellent presentation on IM Forensics at the recent GMU2006 conference, and that got me to thinking...are there resources out there that list forensic artifacts for various IM applications? I know that folks on the LE side dig into this quite often, but when I see/hear it discussed, it usually starts out with "...I read somewhere...". Hhhhmmm. I've thought that with the recent releases of AIM Triton and a new version of Yahoo, I'd take a look at these and document forensic artifacts. Of course, there are other IM applications out there (GAim, Trillian, etc.), so I'd like to start by compiling a list of sites that provide credible information on older versions.

I'd also like to see if there are any resources (sites, blogs, papers, etc.) regarding forensic artifacts for P2P applications, as well. I've looked at LimeWire in the past, but now and again I see questions regarding Bearshare, etc.

Finally, while we're on the topic of artifacts, I'm also interested in talking to (or hearing from) anyone who's willing to share information on artifacts regarding exploits and compromises. One of the questions I get very often is, "what do I look for if I suspect someone has used this exploit?" Sometimes we can determine this sort of thing through testing, and other times we can look at anti-virus web sites to get artifacts for worms and backdoors. Still other times, we stumble across these things by accident.

I'll give you an example of what I'm talking about. Take cross-site scripting and SQL injection attacks against IIS web servers. Sometimes during analysis (it really depends on the situation) I'll run a keyword search for xp_cmdshell across the web server logs. If I get hits, I then use Perl scripts to extract the information from the logs into an easy to manage format.

This is the sort of things I'm interested in...mostly because I know others are interested, as well, because I hear the questions. Besides looking at Registry and file system artifacts, this might be an interesting avenue to pursue in Windows memory analysis, as well.

No comments: