tag:blogger.com,1999:blog-9518042.post2309227784923005033..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: What Does That Look Like, Pt IIUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-67412610266628718952014-09-06T14:05:43.961-05:002014-09-06T14:05:43.961-05:00...the above indicators would have been obviated i...<i>...the above indicators would have been obviated if the system was configured such that the pagefile was cleared on shutdown, and the system was cleanly shut down prior to an image being acquired.</i><br /><br />I'm curious... did you stop half way through the Volatility training? There could still be a hibernation file and its slack. Also, since the source was running Windows 7, as the original article clearly states, it's possible to find both the hibernation and page file in VSCs.<br /><br />Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54589524892604700762014-09-06T11:08:00.915-05:002014-09-06T11:08:00.915-05:00> So, I'm curious...did you stop reading ha...> So, I'm curious...did you stop reading halfway through the post?<br /><br />Yes I did, as you indicate in:<br />> I do think that they are important to have, as it provides us with a common platform from which to launch discussion and discourse.<br /><br />I'm launching a discussion.<br /><br />> Too often, discussions get tangled and confused over terminology and definitions,<br />> such as the difference between a Registry key and value; the distinction may be<br />> subtle, even irrelevant to some, but to others, they speak to the clarity and<br />> precision of the discussion.<br /><br />I'm trying to add clarity here and remove the confusion.<br /><br />> I appreciate your rather prolific insight...does it continue to the rest of the content?<br /><br />Not sure what you are hinting at here, please clarify. You start with a discussion about definitions and then switch to a discussion about an article if you were aiming to get another discussion out of the article, then consider to be more verbose about this.<br /><br /><br /><br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-2850281561108123102014-09-06T06:03:14.792-05:002014-09-06T06:03:14.792-05:00Joachim,
Thanks for the comments.
So, I'm cu...Joachim,<br /><br />Thanks for the comments.<br /><br />So, I'm curious...did you stop reading halfway through the post? I appreciate your rather prolific insight...does it continue to the rest of the content?<br /><br />Thanks again.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-84795303076150518982014-09-05T01:13:41.785-05:002014-09-05T01:13:41.785-05:00Or with TTP do you mean:
Tactics, Techniques and P...Or with TTP do you mean:<br />Tactics, Techniques and Procedures (TTP) ?<br /><br />Some context you might want to read:<br />https://msm.mitre.org/docs/STIX-Whitepaper.pdfJoachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-15990975287579431692014-09-05T00:50:55.768-05:002014-09-05T00:50:55.768-05:00Harlan, first of all it's good that you want t...Harlan, first of all it's good that you want to start this discussion.<br /><br />> Artifact - an element of a data source. <br />First some context on the term artifact or artefact. I prefer the link with archaeology and not software development.<br />http://en.wikipedia.org/wiki/Artifact_(archaeology)<br />http://en.wikipedia.org/wiki/Artifact_(software_development)<br /><br />"something made or given shape by man, such as a tool or a work of art, esp an object of archaeological interest"<br /><br />So not a data source per definition I would use the definition:<br /><br />"An object of digital archaeological interest". Where digital archaeological roughly refers to digital forensics analysis without the forensic part.<br /><br />> A data source might be a Windows Event Log file, and an artifact would be a Windows Event Log record.<br /><br />What about the event described by the "Windows Event Log record"? IMO that would be a separate artifact.<br /><br />So my question to you is the artifact per definition a data source or is it more the data in the "source"?<br /><br />For dis-ambiguity: http://en.wikipedia.org/wiki/Datasource<br /><br />> Indicator = artifact + context<br /><br />both terms are to vague to define as a formula<br /><br />> Indicator - an artifact, with some sort of context applied to it.<br /><br />Some indicators will not be artifacts and have no context but they are still indicators, in sense of the word. E.g. what about a behavioral pattern that will be based on the information from multiple artifacts. E.g. what about an indicator based on statistical analysis?<br /><br />IMO an indicator is a complex filter. That you can use an artifact in that filter does not mean it is part of the definition per se.<br /><br /><br />> TTPs - clusters of indicators that can be used to illustrate intruder or user actions<br /><br />Threats Techniques and Procedures (TTP); don't try to redefine a perfectly clear definition. <br /><br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.com