ok see how visual route goes on this one..
best of luck.. I have a beer that says you don't even get the correct state in australia..Quote:
203.51.230.138
cheers
Printable View
ok see how visual route goes on this one..
best of luck.. I have a beer that says you don't even get the correct state in australia..Quote:
203.51.230.138
cheers
brisbane somewhere near a place called bigpond??? am I even close?
sitting back sipping my beer
can anyone get close to me I would like to know 68.224.227.57
PoSer: Nevada NV 89191-7073, or NV 89496-5000? Just a guess, worth a try
close but still about 150 miles out?
thanks for trying though.
Aze:
I, and the general consensus of the computer forensics community, would disagree with you there. The intent is to preserve the system as it stands once all non-invasive investigation is complete. Thus you do not even disconnect it from the network. If it is being destructive you forego the non-invasive investigation and, literally, pull the plug. If you disconnect it you may trigger an event that alters the state of the box.Quote:
Just a side note, Juridian if you did suffer a real break in and you needed to collect forensic evidence you would not pull the plug on your box. The power down could have undesired effects.
Then you remove the drive, place it in another computer with a different drive that you boot from and you make 2 images, one for investigation - thus it will be changed - and one as a backup of the original state should you need to create another image later. The original disk is then protected and secured with a log of what has happened to it and another log of it's "travels" should it be required to be moved. Then you can begin the real investigation.
Hi rmcgoo
Welcome to AO
You are getting connection attempts from "someone" apparently a long way away.
1. Is the IP address always the same EXACTLY? that is, are all four sets of numbers identical?
2. Do you know anyone you can trust, and find out if they are having the same experience?
3. Are the first 2/3 blocks of the IP address the same as your ISP?
The reason that I ask is that there are a number of malwares (virii/worms) that are "network aware" and look for "sub-nets" to spread along. At one time I was getting 500 hits/hour because of this. All from machines in the same ISP address block as myself.
What I am asking is, have we established that this is a deliberate attempt to attack you or is it just some "girl's blouse" with an unpatched NT/2k/XP box who has become infected and does not even know it? In that case question #2 and #3 above are relevant.
Question #1 is not conclusive unless the answer is "yes"..........in that case you are the target and they are probably using cable (I don't know anything about satellite I am afraid).
If you are using 56.6 or DSL and disconnect regularly, you will get a different IP addy each time, but I would expect the first 2 blocks to be the same, certainly the first one (I am going by my English experience here). This would be inconclusive. If there is no change in the attackers addy over (say) 30 minutes then I would say it is an attack on you. If there is a slight change (last 2 blocks) then I suspect a net worm.
"250 lb jock knocking on their door"..........hmmmmmmmmmm......Tiger Shark and I have done some behind the scenes trading......he gets the ticket sales and I get the hot dog franchise :D
Good luck
And I'd like to add some other advice:
Please do not publish IP addresses of yourself or those who are bothering you as not everyone that visits AO is ...errr.. shall we say ethical?
Well, actually there are a couple of recommended methods according to all my reading, training, etc. It really all depends on if you are going for live acquisition or if you want to capture the hard drive in a single state.Quote:
Originally posted here by aze
Just a side note, Juridian if you did suffer a real break in and you needed to collect forensic evidence you would not pull the plug on your box. The power down could have undesired effects. You would disconnect from the network, note any running processes, and what may have been going on. Then when your local network guru or whomever you call for help arrives they can take the appropriate measures, i.e. complete disk to disk dump etc.
Just my spare change
AZE
Pulling the power cord is recommended by many agencies (such as SANS/GIAC, ISS, etc) because you never know what may be set off on the drive if you try an actual power down or if you pull the netcable. There is the possibility that there will be a piece of malware looking for the connection with the intent of wiping out the data you need (also why it's recommended that incident handlers carry a hub with them).
It's just the old 'pull the plug' dilemma rearing it's ugly head....
Juridian: Ok.... I can agree with that. Since Aze was talking about plug pulling I stayed on that subject. But yes, you are right if you are looking to capture live data on the wire.... That was my point about the non-invasive evidence gathering/if it is doing harm with regard to pulling the plug.
It is a dilemma, but I tend to fall on the "Pull and be damned side" simply because a proper shutdown does alter the registry hives and also I have no idea at this point what logic bombs the little devil might have planted..... I would leave it until I see no drive activity though if at all possible to minimize the chance of damaging the disk myself.