Computer evidence IP


pimp

New Member
Sep 19, 2014
24
1
#1
Hello to all,

The other day I had a problem with a computer. it has a static addressing (IP, gateway, DNS) and it couldn't surfing the Internet. After a little bit I could realize that static gateway IP was changed, in other words Thursday the configuration was ok and Friday was bad. Until I know no one of the department has changed the IP of the gateway and the user hasn't any privileges. So,

1. Is there any malware which change this IP?
2. In case that someone has changed this registry key and taking account that we had to change because the user needed to access applications and email, which evidence we can look for to find what happened?

The PC has installed Windows XP SP3.

Thanks in advance.
 

athulin

Member
Experienced Member
Oct 18, 2007
733
Ratings
10
18
#3
pimp said:
1. Is there any malware which change this IP?
2. In case that someone has changed this registry key and taking account that we had to change because the user needed to access applications and email, which evidence we can look for to find what happened?
Find out:

What was the last time everything worked? Preferrably from local logs and other time stamped events

What was the time when things stopped working? Again, from logs.

What happened in the meantime? What users accessed the system? (All of them, including system accounts, help desk accounts, the lot.) What programs executed? What files were created or modified? What external devices were connected? (Include file shares here.) Anhthing that might operate as a network device? What configurations were changed? (If the system is in a Windows domain, did anything change in that domain?) Were any system patches installed? How? And also what events were reported in the system logs.

Once you have that, you may have enough data to formulate some hypotheses about what happened.

I'd probably like to check the system physically: does it pass power-on self checks? Particularly memory test? I might also like to check out that it isn't under-powered, just in case. And perhaps also how it is shut down at nights, if at all. (I've seen odd things happen on systems that were brutally powered down, instead of shut down in an orderly fashion.)
 

SgtJackie

New Member
Nov 30, 2015
58
0
#4
I've never heard of a static IP changing by itself. My gut feeling would suggest that somebody, somewhere, has manually changed it (and not owning up because they think they might be in trouble). Check your syslogs!
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu