tag:blogger.com,1999:blog-9518042.post1168334097024212669..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: What's NewUnknownnoreply@blogger.comBlogger1125tag:blogger.com,1999:blog-9518042.post-48671706268826355792012-05-16T19:48:51.024-05:002012-05-16T19:48:51.024-05:00Thanks again for reviewing my post Harlan. I'v...Thanks again for reviewing my post Harlan. I've much respect for you and what you've taught me so far.<br /><br />In addition to my comment on the RegRipper plugin I've since attempted this command on a second machine and had success. So more troubleshooting on the tutorial image will be required to see where I went wrong in that case.<br /><br />I also mentioned in my post that receiving the output, i.e timeline, is the easy part however understanding that output is far more challenging. As you say Regripper is a great tool to increase the speed of investigation but its important for analysts to understand why the tool does what it does and how it does it so that not only can we troubleshoot issues like above but also trust the output and understand any impacts on our investigation. This is something you highlight, in my brief read of WFAT2e, when you speak about understanding tools and in particular rootkit analysis where an analyst running Rootkit revealer and the confusion it can cause.<br /><br />Your dedicated book on the registry will be a big help in this area I believe and thankfully your tools are open source so with time I believe I'll gain a solid understanding of all of the above.Anonymousnoreply@blogger.com