In giving this a little bit of thought, I am taking a first cut at what a tool mark library might look like. Not perfect by any means but it's a start perhaps.
Tool marks
Software name:
software version:
Author:
Downloaded from:
Intended use or purpose if stated by author:
Runs on operating system:
privileges required:
MD5/SHA1:
Characteristics:
Registry: Additions, modifications, removals, persistence
File System (files & folders): Additions, modifications, removals, accessed, persistence
Network connections: Additions, modifications, deleted
Services: Created, Deleted, Modified, persistence
Processes: Created, Killed
Users/Groups & Passwords: Created, Deleted, Modified
Logs: Entries created, deleted, modified
Other:
User configurable options and resulting behaviors
hash of each file created
binary packed/unpacked
PE header information of main executables
Restore point created
Thoughts?
Saturday, January 5, 2008
Subscribe to:
Post Comments (Atom)
1 comments:
It looks good. I am sure as you start adding actual data you may find a few things to add or delete.
Mark
Post a Comment