SANS Digital Forensics and Incident Response Blog: Tag - Forensic

Windows Scheduler (at job) Forensics

This information may be useful to people responding to compromise incidents involving Windows. Typically these days, when a job is scheduled for execution later, possibly every day, week, or month, it's done via a GUI tool or 'schtasks'. However , you can still use the original command line 'at' tool. This utility also allows such jobs to be scheduled over the network if admin credentials are possessed, which makes it quite useful to an attacker for post exploitation activities. When cleaning up after something like this, it's useful to know a bit about what it does under the hood, including the formats of the associated .job file, and the structure and location of associated log entries.

[caption id="attachment_11626" align="aligncenter" width="745" caption="Figure 1: A scheduled

...


EnCase and Checkpoint PointSec - I'm Not Feeling the Love!

[caption id="attachment_242" align="alignright" width="240" caption="Hard Disk photo courtesy of Jeff Kubina at http://www.flickr.com/photos/kubina/"]//www.flickr.com/photos/kubina/[/caption]

EnCase cannot directly access PointSec encrypted hard drives. I understand that PointSec (owned by Checkpoint) may be talking to EnCase and working on a decryption solution. Today, however, there is no seamless way to forensically access PointSec encrypted data without going through a decryption of the hard drive first. More information may be found at