Profile: Dan O'Connor
I am just at the point where I am ready to take our bot we built and see if we can get it to run on the target machine. But I want to make sure we are going to collect every little thing we can.
What we are going to setup to do is the following.
- Capture network traffic with a sniffer, I have wireshark already on the server so it will do fine.
- Take a registry snapshot of the target machine.
- Raw disk image of the target machine.
- Finally process and memory snapshots.
The traffic is encrypted but capturing it will give a starting point. The registry, raw disk and process snapshots will be compared before and after infection.