Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: dmegdime
New Today: 0
New Yesterday: 2
Overall: 29658

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Locate great footwear for children
 with wearing boots and shoes
 You could notify your knockoffs
 which will anyone grasped
 any domestic just one

Computer Forensics World Forums


Pages Served
We received
59362140
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Computer evidence IP
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Computer evidence IP

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
pimp
Newbie
Newbie


Joined: Sep 20, 2014
Posts: 8

PostPosted: Fri Nov 18, 2016 6:45 am    Post subject: Computer evidence IP Reply with quote

Hello to all,

The other day I had a problem with a computer. it has a static addressing (IP, gateway, DNS) and it couldn't surfing the Internet. After a little bit I could realize that static gateway IP was changed, in other words Thursday the configuration was ok and Friday was bad. Until I know no one of the department has changed the IP of the gateway and the user hasn't any privileges. So,

1. Is there any malware which change this IP?
2. In case that someone has changed this registry key and taking account that we had to change because the user needed to access applications and email, which evidence we can look for to find what happened?

The PC has installed Windows XP SP3.

Thanks in advance.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Fri Nov 18, 2016 9:07 am    Post subject: Reply with quote

There is absolutely NO way to answer that question without having hands on on the system.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 241

PostPosted: Sat Nov 19, 2016 5:53 pm    Post subject: Re: Computer evidence IP Reply with quote

pimp wrote:
1. Is there any malware which change this IP?
2. In case that someone has changed this registry key and taking account that we had to change because the user needed to access applications and email, which evidence we can look for to find what happened?


Find out:

What was the last time everything worked? Preferrably from local logs and other time stamped events

What was the time when things stopped working? Again, from logs.

What happened in the meantime? What users accessed the system? (All of them, including system accounts, help desk accounts, the lot.) What programs executed? What files were created or modified? What external devices were connected? (Include file shares here.) Anhthing that might operate as a network device? What configurations were changed? (If the system is in a Windows domain, did anything change in that domain?) Were any system patches installed? How? And also what events were reported in the system logs.

Once you have that, you may have enough data to formulate some hypotheses about what happened.

I'd probably like to check the system physically: does it pass power-on self checks? Particularly memory test? I might also like to check out that it isn't under-powered, just in case. And perhaps also how it is shut down at nights, if at all. (I've seen odd things happen on systems that were brutally powered down, instead of shut down in an orderly fashion.)
Back to top
View user's profile
SgtJackie
Newbie
Newbie


Joined: Dec 01, 2015
Posts: 19
Location: Aberdeen, Scotland

PostPosted: Fri Nov 25, 2016 12:27 am    Post subject: Reply with quote

I've never heard of a static IP changing by itself. My gut feeling would suggest that somebody, somewhere, has manually changed it (and not owning up because they think they might be in trouble). Check your syslogs!
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.