Auditing NT - presented at BlackHatAsia 2000

by Jd Glaser,

Summary : This talk will be the third in a series to address the issue of auditing an NT box after a break in. Specifically, we will extend our look under the hood to find places where altered files can hide as well as examine the evidence left behind by an intruder. This talk will also cover a set of tools that can uncover various hidden aspects of NT's Internal state. NT's built in tools are not sufficient in most cases for examining system state, so this talk include a small tutorial on a suite of free tools I have made
to aid Windows NT intrusion research. Details will include:
Examine NTFS file time stamping
Examine NT Drivers behavior
Examining permissions/file attributes
Examining COM security backdoors Part III
Looking for trojan behavior Part III
Finding for backdoors in Windows NT