This guide does not cover the administrative aspects of a compromise, rather it is intended to outline useful tips in finding malware, links to tools for examining the system and define the reasons for undergoing this work.

This document will deal with basic levels of intrusion analysis, aimed mainly at intrusions on desktop systems, or initial examination of servers. It is not an in depth technical discussion of recovery of mission critical servers. It should also be noted that a number of these tools will change the file system - this will more than likely make the drive inadmissible as evidence. If you think you might want to involve law enforcement, this isn’t the guide to read!

A compromise can occur in a number of ways, possibly a machine was unpatched against a certain vulnerability, or the user is using weak passwords (particularly on Windows shares) or the user ‘clicked on the wrong thing’. However the machine has been compromised, it is important to analyze the system to work out how the intruders got in, as this will give you the means for preventing entry in the future - it is useless to reformat and reinstall a box, only to leave the same way in wide open. Understanding the mode of entry can also help determine if other machines on your site have been compromised, i.e. was entry gained through a service unique to this machine, or common to the whole site or department ?

However entry was gained, one of the most important things you can do is run `Windows Update’, but you should also be aware that Windows update is only used to update Windows, it doesn’t update things like Office, MSDE or SQL (although it will update IE). Simply going to `Windows Update’ will not actually fix the problem, though it may prevent further compromises from other attackers.

A second important aid to examining intrusions is logging, but be aware that Windows systems are notorious for having little logging in force on a default install. As such, trying to track down intrusions and the actions an intruder has taken is extremely difficult. However it is possible for a large amount of auditing information to be logged, providing the appropriate settings and changes are made, and this should of course be done. Another problem however is that it is common for intruders to wipe log files when they gain entry to a system so, if possible, for mission critical machines, you may want to consider central storage for log files.

It is worth pointing out that while certain anti-virus products can and indeed do detect certain backdoors, this is not their primary function. An anti-virus scanner is precisely that, it will not detect how an intruder gained access in the first instance, nor will it alert you to what actions or other backdoors they may have placed on the system. Indeed, many attackers will use tools and backdoors which are specifically designed to evade anti-virus scanners

Download pdf Checking Microsoft Windows Systems for Signs of Compromise