±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36209
New Yesterday: 3 Visitors: 111

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Remote access tools

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

ClarkK
Member
 

Remote access tools

Post Posted: Apr 02, 19 12:23

Windows 7 machine in a domain. What is the best way to determine where (IP) an individual is going with a remote access tool? Can be logmein, splashtop, etc. From an image, i can see the website they are going to but how can I find the destination of where they are connecting to with the tool? Just the logs? Or is there another place I can look?  
 
  

Bunnysniper
Senior Member
 

Re: Remote access tools

Post Posted: Apr 02, 19 16:35

- ClarkK
Or is there another place I can look?
Yes, the local registry. Have a look into the software hive and the NTUSER.dat files and search for application entries there. Very often you have something like "recent connections" or similar entries. Nevertheless, start with the application specific logfiles and see what is inside.

regards, Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

keydet89
Senior Member
 

Re: Remote access tools

Post Posted: Apr 02, 19 17:33

- Bunnysniper
Yes, the local registry. Have a look into the software hive and the NTUSER.dat files and search for application entries there.


Anything in particular? I'd like to add it to RegRipper.

Thanks.  
 
  

athulin
Senior Member
 

Re: Remote access tools

Post Posted: Apr 02, 19 19:01

- ClarkK
Windows 7 machine in a domain. What is the best way to determine where (IP) an individual is going with a remote access tool? Can be logmein, splashtop, etc. From an image, i can see the website they are going to but how can I find the destination of where they are connecting to with the tool?


That depends on where those tools store or log the target address, doesn't it?

If you don't know, set up a test client system, and a test target host with a well-known domain name and IP. Do a few connections. Image the client, and look for the domain name and the IP address. Depending on the tool, you may want to try different ways of connection or different tool settings. Perhaps it saves the info in a logfile, but that log file can be placed anywhere and with any name and extension -- but its current path is somewhere in registry.

(You probably want to do followup tests to find out if there's anything useful in-core during a live analysis. You probably also want to test failed connections as well, to ensure that you can distinguish between connections that were successful and connections that failed or were broken off in some way. Figure out what questions you are likely to have to answer -- when was the first connection? the last? all connection in the last week in December? ... -- and focus on those.)

Or ... you may have a tool in some kind of container. In which case, you have too look inside that container.

And you may need to check other factors: does anything change between different tool releases? Can you identify the version? Can you identify the currently active version, if more than one is installed? (And, if a tool has been uninstalled, can you see that it has been there? And perhaps also when? Or does it run from an USB stick?) In a corporate environment, you may have well-known tools and versions, so you may be able to restrict your tests to those.

And if you're lucky, someone has already done it for some specific tool. But unless you can locate someone else's analysis report, as well as trust it as source for your own analyses, you have to analyze the tools yourself.  
 

Page 1 of 1