tag:blogger.com,1999:blog-9518042.post2361118063999638674..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Copying FilesUnknownnoreply@blogger.comBlogger1125tag:blogger.com,1999:blog-9518042.post-90696097693790006732008-07-26T10:49:00.000-05:002008-07-26T10:49:00.000-05:00Good stuff Harlan. Just some ideas along the line...Good stuff Harlan. Just some ideas along the lines in your post... I suppose you could use the CD/DVD burning software swap file as an indication of something recently burned. That is if you can find it and it is in a friendly format (iso). Also, another option for file system monitoring is the Microsoft .NET Framework <B>FileSystemWatcher</B> class which can be tapped via Visual Basic or C#. Seems like it was built for easily recording changed, renamed, deleted, or newly created files. Potential here for all kinds of utility goodies in the areas of system logging, executable file analysis, honeypots, etc. Of course to aid an investigation, you'd have to set it up BEFORE you need it :)Anonymousnoreply@blogger.com