Checking for Signs of a Compromised System

Yesterday I posted a blog entry about a whitepaper that explains how to gather forensic evidence from a Windows system. I found another useful whitepaper that explains how to check a system for signs of compromise. The whitepaper, "Checking Microsoft Windows® Systems for Signs of Compromise," (available in PDF format) offers a high-level perspective on the basics of system analysis.

As you'll see when you read the whitepaper, the introduction states that, "This guide does not cover the administrative aspects of a compromise, rather it is intended to outline useful tips in finding malware, links to tools for examining the system and define the reasons for undergoing this work.

"This document will deal with basic levels of intrusion analysis, aimed mainly at intrusions on desktop systems, or initial examination of servers. It is not an in depth technical discussion of recovery of mission critical servers. It should also be noted that a number of these tools will change the file system - this will more than likely make the drive inadmissible as evidence. If you think you might want to involve law enforcement, this isn't the guide to read! "