tag:blogger.com,1999:blog-9518042.post4273323307587300998..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Counter-ForensicsUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-25911530983199313452012-07-04T07:24:00.166-05:002012-07-04T07:24:00.166-05:00No problem...glad to do it.
You should be able ...No problem...glad to do it. <br /><br />You should be able to modify evtparse.pl fairly easily to carve for XP/2003 event records...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85763723944529985222012-07-04T07:22:38.835-05:002012-07-04T07:22:38.835-05:00Got it, thanks! And thanks for all that you give ...Got it, thanks! And thanks for all that you give back.Joenoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-76629225843872985692012-07-04T04:44:25.278-05:002012-07-04T04:44:25.278-05:00Joe,
The structure of WinXP/2003 Event records ar...Joe,<br /><br />The structure of WinXP/2003 Event records are well defined, so scan unallocated space for those. Don't look for the deleted file; instead, carve for records.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-51302616995890840772012-07-03T18:10:54.172-05:002012-07-03T18:10:54.172-05:00Excellent information. Regarding:
"However,...Excellent information. Regarding:<br /><br />"However, many analysts are aware that deleting cookies and clearing Event Logs really doesn't do a whole lot more that just alter where you go to get the information you're looking for."<br /><br />What are the steps for 'recovering' Windows Event Logs that were cleared?Joenoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-25146228476104751142012-03-01T23:24:06.478-05:002012-03-01T23:24:06.478-05:00Fantastic post. I love that Shakespeare quote - d...Fantastic post. I love that Shakespeare quote - definitely apropos to our industry. Huge thank for continuing to share your insight!Girl, Unallocatedhttps://www.blogger.com/profile/14531145168136293345noreply@blogger.com