tag:blogger.com,1999:blog-1746946614390371171.post1876782392475655422..comments2010-08-12T07:41:23.276-07:00Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-1746946614390371171.post-433933676437361232010-08-12T07:41:23.276-07:002010-08-12T07:41:23.276-07:00Oh and BTW, for anyone who is still interested, you CANNOT just drag and drop this .E01 file into EnCase. <br /><br />In order to add this evidence, you have to select Add Device -&gt; then on the left column Under Sources, right-click on Evidence file, and select New. A menu will come up, and from here drill down to the folder where the .E01 file resides. Continue to click next and EnCase will finally add this evidence and populate the directory structures.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-58111519622069189282008-01-21T06:19:00.000-08:002008-01-21T06:19:00.000-08:00the network dump shows that compromised host open three way handshake to other host, then after the ACK from other hsot answers with a new SYN asumese that not receive the ACK package, so pther host send another ACK, but compromised host leaves hanshake get down: it seems be a port scanning.<BR/>I don't understand why in second steep of three way handshake other host response with ACK=1+SYN=0 and not with ACK=1+SYN=0, as expected.<BR/><BR/>I convert encase image in dd image with FTK Imager, then use some anti-virus:<BR/>avast identify Win32:Rizo-E ( a trojan) in WINDOWS/system32/inetsrv/rpcall.exe<BR/>f-prot identify:<BR/>[Found possible security risk] RESET5SETUP.EXE->(PEBundle)->(PEBundle)->(PEBundle)->(PEBundle)->(PEBundle)->(PECompact)<BR/>[Found downloader] WINDOWS/system32/reset5.dll<BR/>ClamAV on Helix v.1.9 (updated) identify anythings.<BR/>In event log I did't see anythings of strange.<BR/>I'think strange conduct of compromised host my be caused from those malware.<BR/>It may be usefull check internet navigation, to see if user visit some dangerous site, and virtualize compromised host to check if malware may be provenence of that.<BR/>I treat this test on my blog (http://www.denisfrati.it/?p=286) and you can read about it in english here<BR/>http://translate.google.com/translate?u=http%3A%2F%2Fwww.denisfrati.it%2F%3Fp%3D286&langpair=it%7Cen&hl=it&ie=UTF-8<BR/>I apologize for my bad english.<BR/>see youdenishttp://www.denisfrati.itnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-25142548772476027582008-01-20T21:24:00.000-08:002008-01-20T21:24:00.000-08:00Cheers Lance, I've been looking for such an image for a while. Hope you're feeling better after your Hong Kong trip.<BR/><BR/>Darrendarrencerasiwww.i-analysis.com.sgnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-8819072509699172572008-01-19T21:04:00.000-08:002008-01-19T21:04:00.000-08:00Hogfly - sorry I replied earlier via mobile, but it didn't go through for some reason. I am not really trying to get around any licensing/distro restrictions. It is an EnCase evidence file of an operating system for forensic analysis, not for any other reason.Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-31462115298688753602008-01-19T18:23:00.000-08:002008-01-19T18:23:00.000-08:00BTW, upload reset5setup.exe to www.virustotal.com and let it analyze it.<BR/><BR/>Or check out this permalink: http://www.virustotal.com/analisis/21f95dfa1f10afe4ea2a581e2e34f599<BR/><BR/>"Server_2003_Activation_Crack.EXE"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-38872797935695072192008-01-19T18:21:00.000-08:002008-01-19T18:21:00.000-08:00"Microsoft Streaming Service Proxy"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-90812544101901546072008-01-19T14:54:00.000-08:002008-01-19T14:54:00.000-08:00Can you elaborate or provide any theories you may have? Anything else of interest?Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-56771859975740097802008-01-19T14:29:00.000-08:002008-01-19T14:29:00.000-08:00Check out reset4setup.exe in the image.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-58635429210289657472008-01-19T13:16:00.000-08:002008-01-19T13:16:00.000-08:00Not to be a pain..but how did you get around licensing/distribution of a complete operating system? I've been trying to get together ideas for making my honeynet available for live analysis practicals but licensing is always a blocking issue.hogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-31324479296384197312008-01-19T13:13:00.000-08:002008-01-19T13:13:00.000-08:00Hogfly - yes, its a complete WinXP Home systemLance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33263682359973913842008-01-19T13:02:00.000-08:002008-01-19T13:02:00.000-08:00Lance,<BR/>I'm curious...I haven't downloaded the image yet but is the Encase image a complete XP image?hogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.com