View Single Post
  #14 (permalink)  
Old March 13, 2013, 01:54 PM
Desiato Desiato is offline
MVP
 
Join Date: Mar 2010
Location: Ottawa
Posts: 445
Default

It's been a long time since I was actively interested in network security, so this is extremely far from professional advice, but here's what I might do in your situation:

- I wouldn't spend much time in the OS itself, especially if you're not familiar with it. If the logs don't reveal anything, and there's no obvious signs such as recently modified executables or changes to users, I'd move on to external detection
- some of this *might* be relevant: Intrusion Discovery Cheat Sheet (Linux) | My Stupid Forensic Blog
- for external detection, I might connect it directly to a linux system via a crossover cable to an adapter set to promiscuous mode and monitor its activity through something like Wireshark - Wikipedia, the free encyclopedia
- I might do the same for each of the Windows systems considering there are so few
- If the source of the intrusion cannot be confirmed, I'd reimage everything
Reply With Quote