moth/puzzles/forensics/10/index.html

14 lines
596 B
HTML
Raw Normal View History

You have suspicions that a certain windows box has been infected by a Trojan. You have been given access to a memory image from this box.<A href="http://10.1.1.2/10/xp-laptop-2005-06-25.img">xp-laptop-2005-06-25.img</A> Use the memory image to determine if the machine has been infected.
</BR>
In order to answer the questions:
</BR>
- Determine if the machine has been infected.
</BR>
- If it has not been infected, list "no" as your answer.
</BR>
- If it has been infected, list the process name of the Trojan
</BR>
HINT: You know from googling that the Trojan uses the passWD.log file.