Network connections methodology

In many incidents, the first indication that a system is compromised is attempted or completed connections to external hosts. Detection mechanisms such as firewalls or web proxies may indicate that a system or systems are attempting to communicate with suspect external hosts. From this starting position, it may be possible to identify potential malware on a system:

  1. Suspicious network connections: Conducting a review of network connections on hosts that have been associated with external connections will often provide the process that is attempting to communicate.
  2. Process name: Examining the process from the network connections allows analysts to perform similar actions found within the SANS methodology. It ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.