One of the goals of IR engagements is to locate the initial infection vector and/or patient zero. In order to determine this, timeline analysis becomes critical, as does determining when the malware was created and/or executed on a system.
This file create time may become extremely critical if you're dealing with multiple or even hundreds of systems and trying to determine when and where the malware first made its way into the environment.
But what happens when the malware has already been remediated by a Systems Administrator, deleted by an attacker, or new AV signatures are being pushed out, resulting in the malware being removed?
This file create time may become extremely critical if you're dealing with multiple or even hundreds of systems and trying to determine when and where the malware first made its way into the environment.
But what happens when the malware has already been remediated by a Systems Administrator, deleted by an attacker, or new AV signatures are being pushed out, resulting in the malware being removed?
more here........http://az4n6.blogspot.com/2015/03/usn-journal-where-have-you-been-all-my.html