tag:blogger.com,1999:blog-9518042.post1000958481997995042..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Great news for IR and live response!Unknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-9518042.post-80692919472016080432007-04-29T13:10:00.000-05:002007-04-29T13:10:00.000-05:00Agree. It's much quicker than reversing...Agree. It's much quicker than reversing...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75546839513964728512007-04-26T18:33:00.000-05:002007-04-26T18:33:00.000-05:00Jeff...Exactly!Jeff...<BR/><BR/>Exactly!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-10798582363672634862007-04-26T18:31:00.000-05:002007-04-26T18:31:00.000-05:00Dimitry - Even more so with executables that are c...Dimitry - Even more so with executables that are compressed and possibly encrypted on the disk (or not even there, as you said), but pristine within the memory.jaymcjayhttps://www.blogger.com/profile/01811333295782525169noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-29748168133160956942007-04-25T16:11:00.000-05:002007-04-25T16:11:00.000-05:00This would be a huge help going forward.Especially...This would be a huge help going forward.<BR/>Especially with detecting exploits which never touch the disk ( syscall proxies, etc) Also, correlating rootkit activities with data found on the disk is invaluable in my experience.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-79677652555675685412007-04-24T17:21:00.000-05:002007-04-24T17:21:00.000-05:00Even if a system is to be used in a criminal case,...<I>Even if a system is to be used in a criminal case, I don't think running dd.exe to dump the RAM, then immediately pulling the plug on a system could invalidate using the hard drive image afterwards.</I><BR/><BR/>I agree, given the presence of a rigorous process or methodology, and justification for using it.<BR/><BR/>Remember, too, that depending upon how the new process (dd.exe) is run, there may be more than just a bit of memory used. On XP, a Prefetch file may be created.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-40547884166121205112007-04-22T17:46:00.000-05:002007-04-22T17:46:00.000-05:00A better reason yet is all the information a live ...A better reason yet is all the information a live capture can get with minimal modification to the system (i.e. loading the executable images into RAM). Even if a system is to be used in a criminal case, I don't think running dd.exe to dump the RAM, then immediately pulling the plug on a system could invalidate using the hard drive image afterwards. If a sysadmin poking about for 15 minutes doesn't invalidate a system as evidence, two minutes of dumping RAM to a network share (or netcat) shouldn't either.<BR/><BR/>An interesting possibility is using Process Monitor during the capture to see what all processes are doing, though its use may be exculpatory.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-36694274328750993992007-04-09T14:40:00.000-05:002007-04-09T14:40:00.000-05:00More appropriately, IMHO, it's another reason to d...More appropriately, IMHO, it's <B>another</B> reason to do so, right behind "required by a regulatory body (ie, FISMA, state/federal notification law, HIPAA, etc.) to do so", and "common sense". ;-)H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-71922639375003313732007-04-09T09:25:00.000-05:002007-04-09T09:25:00.000-05:00You're absolutely right. This is great news for t...You're absolutely right. This is great news for those waiting for case law. Maybe now is the time for people to fully develop their live response procedures.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.com