Jarle,

I'd try running bulk_extractor against the memory dump and inspecting the PCAP that it dumps. I'd also try using yarascan for the IP address with both the default ASCII and using the --wide for UNICODE. 

I'd also use Volatility's strings (AOMF pages 514-516) to run through translated strings to dig deeper if you haven't already on any other ioc's like that suspect account you already know about.

Best,
JG 

On Thu, Jun 9, 2016 at 6:39 AM, Jarle Thorsen <jarlethorsen@gmail.com> wrote:
I'm analyzing a Vista SP2 system that was compromised via a Remote Desktop login (somehow the culprit had access to correct login credentials).

Security.evtx only contains information about this single illegal login (and there is no indications that the eventlog was cleared)

The strange thing is that carving though memory for network packets (using CapLoader) I find packets showing RDP traffic to additional IPs, not only the one found in Security.evtx

Any help in trying to put some contex around these additional IPs found in memory, using volatility, or traditional disk forensics is highly appreciated!

(The machine had only been running for about a week before the intrusion, so anything found in memory should in theory be backed up by information in eventlog) 

Jarle Thorsen

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users