Windows Forensics: Have I been Hacked?.
The guys over at Bleeping Computer have written a tutorial
that will show you how to determine if your Windows NT, XP, or 2000 box
is hacked and how you can go about cleaning up the files they may have
left behind.
The tutorial shows you how to detect most hacks, but there are other
methods that will be much harder to detect and will require a greater
degree of knowledge in detecting them. The author believes that most of
the hacks that are done in mass, especially by the script kiddies, will
be detectable through these methods.
Its a quite simplicitic approach, but does give a good overview of
some of the tools that a forensic analysis of a Windows system should
use:
- Fport – Lists all open ports (Think nstat like)
- TCPView – Similar to Fport, but graphical, and shows more info such as CLOSED connections (very important post analysis)
- Process Explorer – A great tool from Sysinternals which shows parent/child relationships with processes
- PSTools – A set of cmd line tools used to open and kill processes, control servives, change passwords etc
- Filealyzer – Windows explorer shell extension to your right click on a file
If you ever have to work on a Windows system for any sort of forensic
analysis, you really need to learn these tools. This article is a good
way to start
[Dana Epp's ramblings at the Sanctuary]