tag:blogger.com,1999:blog-9518042.post1337230791947746360..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: StuffUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-9518042.post-22999415034731103292011-11-16T11:22:19.081-05:002011-11-16T11:22:19.081-05:00The Symantec report has a small error with the loc...The Symantec report has a small error with the location of the registry key showing Duqu infection. Instead of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\”CFID”, it should be CF1D at the end.<br /><br />Source: https://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_DexterAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-24355252931752403522011-11-16T08:38:34.065-05:002011-11-16T08:38:34.065-05:00Thanks Harlan.Thanks Harlan.Lakshmi Nhttps://www.blogger.com/profile/04239136690879961650noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-87044908382523580772011-11-16T08:38:05.400-05:002011-11-16T08:38:05.400-05:00Thanks Harlan.Thanks Harlan.Lakshmi Nhttps://www.blogger.com/profile/04239136690879961650noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-60234395993513843012011-11-16T06:35:27.126-05:002011-11-16T06:35:27.126-05:00Lakshmi,
I went through your timeline presentatio...Lakshmi,<br /><br /><i>I went through your timeline presentation and used the tools to generate the timeline. Question to you: Is the generated timeline in UTC format ? </i><br /><br />In the timeline presentation, slide 18 has a bullet that states, "Time (normalized to Unix epoch time, UTC)".<br /><br />HTHH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-22536925044555065322011-11-15T20:34:31.956-05:002011-11-15T20:34:31.956-05:00Harlan,
I went through your timeline presentation...Harlan,<br /><br />I went through your timeline presentation and used the tools to generate the timeline. Question to you: Is the generated timeline in UTC format ? <br /><br />Thanks for sharing. Till now I was using SIFT and Log2Timeline, but found your method and the steps useful as I can run it on Windows workstation.<br /><br />Thanks,<br /><br />Lakshmi NAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-78663720694638699592011-11-15T20:29:36.450-05:002011-11-15T20:29:36.450-05:00Harlan,
I went through your timeline presentation...Harlan,<br /><br />I went through your timeline presentation and used the tools to generate the timeline. Question to you: Is the generated timeline in UTC format ? <br /><br />Thanks for sharing. Till now I was using SIFT and Log2Timeline, but found your method and the steps useful as I can run it on Windows workstation.<br /><br />Thanks,<br /><br />Lakshmi NAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54558461753594314842011-11-15T18:45:02.503-05:002011-11-15T18:45:02.503-05:00Thanks for the compliments about my efforts; the f...Thanks for the compliments about my efforts; the feedback means a lot. Just the other day I was talking to my wife about how much I've benefited by trying to help others. I'm better at DFIR as a direct result of my willingess to share information. Whether if it's through blogging, security groups, forums, or asking questions.<br /><br />I just wish everyone understood that sharing information not only makes others better but it helps to improve yourself at the same time.Corey Harrellhttp://journeyintoir.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-60462638313879519062011-11-15T17:26:42.016-05:002011-11-15T17:26:42.016-05:00David,
I have to agree, but contributing can tak...David, <br /><br />I have to agree, but contributing can take so many different forms. I'd love to just see more people asking questions...as someone who's written tools, I know that I don't have all the answers. If I can better understand someone else's needs, maybe I can make the tools better. <br /><br />However, more often than not, what happens is that someone downloads a tool, runs it incorrectly, decides it doesn't work, and doesn't say anything to anyone. I recently saw someone post to a forum about SANS SIFT...so my first question was, "...did you go to Rob Lee and ask him the question?" The answer was "no", which I do not understand.<br /><br />My point is that not everyone can <i>DO</i> something, in the sense that Corey does stuff. However, something as simple as asking a question or just letting someone know what your needs are is still contributing to the overall community. <br /><br />WRT my DC3 presentation, I hope to see you there! It's gonna be good!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-31330827642486777912011-11-15T14:51:05.592-05:002011-11-15T14:51:05.592-05:00Appreciate your comments about people like Corey H...Appreciate your comments about people like Corey Harrell (and yourself), who <em>does</em> stuff. The community gets better when more people take time to contribute and share what they know.<br /><br />I'll be at DoD CyberCrime and your talk description has my interest piqued. I like the sounds of your approach of trying to engage the audience in a discussion. I hope folks are talkative, that always makes it more interesting and fun.davehullhttps://www.blogger.com/profile/13189230083815485114noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-61841133186783298322011-11-15T08:39:12.212-05:002011-11-15T08:39:12.212-05:00Thanks for the post Harlan. The Tool Updates secti...Thanks for the post Harlan. The Tool Updates section is particularly useful for me, as it is sometimes easy to fall behind of the latest news and releases; and I LOVE testing out new functionality of new releases! There is also a new version of FTK Imager available on Access Data's site as of (Nov 14, 2011). http://accessdata.com/support/adownloads#FTKImagerAnonymousnoreply@blogger.com