tag:blogger.com,1999:blog-9518042.post1674292785058908465..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Getting started, or forensic analysis on the cheapUnknownnoreply@blogger.comBlogger17125tag:blogger.com,1999:blog-9518042.post-13685984329718512492009-08-04T08:27:24.489-05:002009-08-04T08:27:24.489-05:00It sounds good that they have decided to do is com...It sounds good that they have decided to do is compile a list of free resources that can be used by schools and individuals to develop labs, training exercises etc, for the purposes of providing an educational background in the field of computer forensic analysis.cheap computershttp://www.electrocomputerwarehouse.com/noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-61354544909469911942009-04-24T06:56:00.000-05:002009-04-24T06:56:00.000-05:00Harlan,
Unfortunately, they just seem to be direc...Harlan,<br /><br />Unfortunately, they just seem to be directories that mirror the info, but kept the original download links. So when you try to go listen or download, you get a 404. I am still digging. If I find something, I will post it here.<br /><br />Thanks!<br />EdEd Smileyhttps://www.blogger.com/profile/00850437162578685296noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89340846029960181962009-04-24T06:25:00.000-05:002009-04-24T06:25:00.000-05:00Ed,
So you know, Google returns multiple hits for...Ed,<br /><br />So you know, Google returns multiple hits for the podcast archives...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-80057088065510191702009-04-23T18:03:00.000-05:002009-04-23T18:03:00.000-05:00Ed,
Thanks, and you may be right...I'll see what ...Ed,<br /><br />Thanks, and you may be right...I'll see what I can do...<br /><br />hH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-70824658335969149782009-04-23T15:17:00.000-05:002009-04-23T15:17:00.000-05:00Anyone know what happened to the LiveAmmo computer...Anyone know what happened to the LiveAmmo computer forensics podcasts referenced above? Are they worth checkout out even though they are (guessing) over a year old?<br /><br />Harlan,<br /><br />This post is incredibly useful. How about a revisit to this with updated links and an incorporation of the tools listed in the comments.<br /><br />Love the site!<br />EdEd Smileyhttps://www.blogger.com/profile/00850437162578685296noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85975963150559680712009-03-31T13:08:00.000-05:002009-03-31T13:08:00.000-05:00Awesome write up and very concise list. I didn't k...Awesome write up and very concise list. I didn't know each of them so I've got something new to try out. Thank youAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75961522669386916272008-07-28T04:13:00.000-05:002008-07-28T04:13:00.000-05:00The blog is nice. I like it very much. Laptop batt...The blog is nice. I like it very much. <A HREF="http://www.batteryfast.com" REL="nofollow">Laptop batteries</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-60154309985839696332008-07-13T09:41:00.000-05:002008-07-13T09:41:00.000-05:00This is a great list. There are a few of thing I ...This is a great list. There are a few of thing I would add, though:<BR/><BR/>Acquisition:<BR/><A HREF="http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx" REL="nofollow">PsTools</A> (nice collection of tools that list files, users currently logged on, system info)<BR/><BR/><A HREF="http://www.foundstone.com/us/resources/termsofuse.asp?file=fport.zip" REL="nofollow">Fport</A><BR/><BR/><A HREF="http://support.microsoft.com/kb/q253066/" REL="nofollow">Oem3sr2.zip</A><BR/><BR/>Memory Acquisition:<BR/><BR/><A HREF="http://sourceforge.net/projects/mdd/" REL="nofollow">MDD</A> (Yeah, I know it wasn't available at the time you posted this)<BR/><BR/><A HREF="http://win32dd.msuiche.net/" REL="nofollow">Win32dd</A> (Also wasn't around at the time you posted)<BR/><BR/>Memory Analysis:<BR/><BR/><A HREF="https://www.volatilesystems.com/VolatileWeb/volatility.gsp" REL="nofollow">Volatility</A><BR/><BR/><A HREF="http://computer.forensikblog.de/en/2007/11/ptfinder_0_3_05.html" REL="nofollow">PtFinder</A><BR/><BR/><BR/>Network Analysis:<BR/><A HREF="http://www.circlemud.org/~jelson/software/tcpflow/" REL="nofollow">TCP Flow</A> (Linux)<BR/><BR/><A HREF="http://lcamtuf.coredump.cx/p0f.shtml" REL="nofollow">p0f</A> (Linux)<BR/><BR/><A HREF="http://www.snort.org/" REL="nofollow">Snort</A> (Linux)<BR/><BR/><A HREF="http://www.tcpdump.org/" REL="nofollow">Tcpdump</A>Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-33472583461628992112008-02-24T06:48:00.000-05:002008-02-24T06:48:00.000-05:00Rich,Great tools. Unfortunately, the Zietline lin...Rich,<BR/><BR/>Great tools. Unfortunately, the Zietline link is "403". I stopped by and started checking out your blog, as well...very cool.<BR/><BR/>Inuk-x,<BR/><BR/>Try reaching out to Richard Bejtlich on that one...<BR/><BR/>Claus,<BR/><BR/>Wow! <BR/><BR/>PDBasic was linked in my blog post. I've been a user of PD since version 3 and I'm eagerly awaiting the release of version 5.0. I've been told that some of the things I've been concerned about for about 2 yrs now should be addressed after the release.<BR/><BR/>Thanks for the links to the bootable Linux CDs...these are all very useful and definitely something to keep in mind and have handy (as in, on hand, and know how to use them).H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-34014759373766135222008-02-23T22:47:00.000-05:002008-02-23T22:47:00.000-05:00Oh yes,Almost forgot these.I'm not a forensics guy...Oh yes,<BR/><BR/>Almost forgot these.<BR/><BR/>I'm not a forensics guy (though some days I wish I were), but I do find many of the principles and methods useful to know from a "foundations" standpoint when I am assessing a response strategy for a malware/virus infection on one of our desktop systems. Plus it provides me a good perspective for what to do/not do when I encounter "material" on a system that might very well be handed off to our own internal investigations division so I don't accidentally compromise something in my initial response and assessment.<BR/><BR/>Another of your posts linked to <A HREF="http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14" REL="nofollow">TechPathways</A>, which turns out has a free "ProDiscover" GUI-based computer forensic software package. It looks nice for people wanting to get their feet wet in this area.<BR/><BR/>Also, I have found the following Linux "Live-CD's" that have a particularly useful forensics bent to them. All free.<BR/><BR/><A HREF="http://www.projectplanb.org/" REL="nofollow">Plan-B</A><BR/><BR/><A HREF="http://www.e-fense.com/helix/" REL="nofollow">Helix</A><BR/><BR/><A HREF="http://biatchux.dmzs.com/" REL="nofollow">FIRE</A><BR/><BR/><A HREF="http://d-fence.be/" REL="nofollow">FCCU GNU/Linux Forensic Boot CD</A><BR/><BR/><A HREF="http://www.linux-forensics.com/" REL="nofollow">Penguin Sleuth Bootable CD</A><BR/><BR/><A HREF="http://sourceforge.net/projects/plac/" REL="nofollow">PLAC</A><BR/><BR/>--Cheers!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-21728637989766273702008-02-23T11:53:00.000-05:002008-02-23T11:53:00.000-05:00Great list! I have a couple others:Zietline- a fo...Great list! I have a couple others:<BR/><BR/>Zietline- a forensic timeline editor<BR/><A HREF="http://projects.cerias.purdue.edu/forensics/timeline.php" REL="nofollow">http://projects.cerias.purdue.edu/forensics/timeline.php</A><BR/><BR/>And, although not a forensic tool, one used to document your investigations:<BR/>Casenotes<BR/><A HREF="http://www.qccis.com/content.php?section=casenotes" REL="nofollow">http://www.qccis.com/content.php?section=casenotes</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-41494368608352941302008-02-23T11:51:00.000-05:002008-02-23T11:51:00.000-05:00Great tools and utilities roundup! Once you get s...Great tools and utilities roundup! Once you get started it is very hard to stop!<BR/><BR/>I often drop in over at the SecurityFocus website. Their <A HREF="http://www.securityfocus.com/incidents" REL="nofollow">Infocus: Incidents</A> section often contains great "case-studies" that walk readers through an investigation and the different approaches and techniques that could be used.<BR/><BR/>I also had been listening to the LiveAmmo <A HREF="http://www.liveammo.com/LiveAmmo_Computer_Forensics_Podcast_Archives.php" REL="nofollow">computer forensics podcast archives</A><BR/><BR/>They had a set of podcasts on Digital Forensics and Hacking Investigations. (5 episodes I think). Each ran about 35-45 min long. I am assuming they are still available. I still have them on my iPod at least...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37071818901191161182008-02-22T10:59:00.000-05:002008-02-22T10:59:00.000-05:00Thanks Harlan, very useful and very needed. Now w...Thanks Harlan, very useful and very needed. Now we just need to find a similar/updated list of resources for network security monitoring (NSM).testhttps://www.blogger.com/profile/17843773704349620940noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-3273920493776027622008-02-22T08:45:00.000-05:002008-02-22T08:45:00.000-05:00Of course I didn't borrow "Windows Incident Respon...Of course I didn't borrow "Windows Incident Response" from the library, I *purchased* a copy ;)<BR/><BR/>But there is:<BR/>File System Forensic Analysis - Carrier, Brian<BR/>Incident Response and Computer Forensics - Mandia, Kevin and Prosise, Chris<BR/>Real Digital Forensics - Jones, Keith and Bejtlich, Richard<BR/><BR/>for a start...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75466618665720797692008-02-21T09:42:00.000-05:002008-02-21T09:42:00.000-05:00Great list!May I also suggest ftimes. It is capab...Great list!<BR/><BR/>May I also suggest <A HREF="http://ftimes.sourceforge.net" REL="nofollow">ftimes</A>. It is capable of file carving, gathering MAC times, file analysis, etc. It is freely available (as in beer) and is available on Windows as well.dhttps://www.blogger.com/profile/03199931217476335489noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-80890490880482580632008-02-21T07:01:00.000-05:002008-02-21T07:01:00.000-05:00Actually, I didn't "forget"...if I post everything...Actually, I didn't "forget"...if I post everything, what does that leave for others?<BR/><BR/>So...what books do you get from your public library, in pursuit of CF knowledge??H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68691342149815425502008-02-21T06:46:00.000-05:002008-02-21T06:46:00.000-05:00You forgot a section on "books!" For people who ar...You forgot a section on "books!" For people who are really cheap like me, most can be requested through one's local public library.Anonymousnoreply@blogger.com