Tool list suggestions

[IKnowNot]

Someone ( a typical home computer user ) has contacted me concerning a problem with their computer. It is possible that it is a spoofing incident, but the circumstances indicate strongly it is some type of Trojan / backdoor.

( I can’t / won’t be more specific at this time )

Over the phone I guided them through updating their anti-virus software ( found nothing ), installing a firewall ( Zone-Alarm ) and downloading and installing Ad-Aware ( found an excess of 450 items which were removed! ) and directed them toward the thread How to Lock Down Your WinXP Box...
which I was told they did. Also I was told that they have kept up with Microsoft updates.

I scanned their ports over the net. ( They have a cable modem w/router, found nothing unusual, but I was scanning the router, I believe it is a Linksys. )

The problem still persists.

At this time I am just going to try to identify the problem, am not foreseeing I will need forensic evidence for a court, and so I believe I should start by NOT disconnecting from the net to have them bring the machine to me.

Looks like a Road Trip!!

My question is, what tools should I bring with me. So far I have decided on SuperScan 3.0 and Fport both from http://www.foundstone.com

Any other suggestions??

[Dark Phoen1x]

You could also try Advanced Administrative Tools, at this time you can download a trial version of it. You can download it here: www.glocksoft.com/aatools.htm . Its a very useful tool as it has almost everything from whois, proxy analyzer, email verifier, link verifier and all kinds of other cool stuff. Good luck , i'm at work rite now but when I get home later on i'll get u some more programs that u could use.

[Tedob1]

pstool kit from systernals.com

id like to give you more informatioin but im afraid i cant/wont at this time (its got a readme anyway)

[Cybr1d]

www.atstake.com/research/tools/Network_utilities is a site full of cool tools, also it gives you links to other sites with tools i believe. A very good site which I use myself is : http://neworder.box.sk try them out , GOOD LUCK

[da'dodo]

Don't forget the basics. If he/she's been hacked, you can't truly rely on the basic MS utils that come with the OS. They could have been compromised.

[jadetiger]

I would recommend using Accessdata's FTK (Forensic Toolkit) at http://www.accessdata.com/Product04_...?ProductNum=04 which is expensive, but cheaper than their competitor. I purchased the Ultimate toolkit and a week long training course on the product. Its awesome.

[IKnowNot]

Thanks for the advice, here’s an update.

Due to scheduling problems I could not get together with her to check the computer myself..

Here is what was happening; she was receiving e-mails sent from her own cable account to her AOL account which contained pictures and documents from her computer! She even received them after she updated her anti-virus software, installed firewall, etc.

I also began noticing reported attacks starting to show up from her cable address on Dshield.

I sent her an e-mail with the links to Trojan Remover and The Cleaner but that e-mail disappeared!

I contacted her after not hearing a reply for a few days, resent the e-mail, she checked the system using the above programs and found nothing. But the e-mails, etc. seemed to have stopped ( for now )

I’m hoping the hacker read the e-mail and cleaned the system themselves to cover their tracks. She has also been advised to change all passwords, etc.

Crossing my fingers on this one.