tag:blogger.com,1999:blog-9518042.post469041604164817910..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: Thoughts on Tool VerificationUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9518042.post-17466520104891382562009-09-10T06:11:43.569-05:002009-09-10T06:11:43.569-05:00Claus,
Thanks! I hope you do get a chance to sha...Claus,<br /><br />Thanks! I hope you do get a chance to share your lessons learned...one of the drawbacks of writing this stuff from the batcave is that I don't get to see how folks are actually using the tools too often...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-86540824819394351972009-09-09T20:18:22.408-05:002009-09-09T20:18:22.408-05:00Harlan, Thanks for the recent holler-back. I inve...Harlan, Thanks for the recent holler-back. I invest the time in tracking down and sharing these tools and tips because they bring benefit to me, because I want to "pay it forward" for all the work other bloggers and developers have done to get me where I am in my knowledge base, and because it is just plain therapeutic in a relaxing way. So many great apps and info, just beneath the surface clutter of the Net. Just takes a bit of digging to uncover then share.<br /><br />Thank you in particular for the link to the <a href="http://www.woany.co.uk/" rel="nofollow">woanware</a> site in this post. It's an amazing collection of targeted utilities. Right up my alley. I'm going to be sorting through that site for a while!<br /><br />FWIW, I'm currently going through an incident-response analysis on a production system and RegRipper came in dead-useful with my system admin hat on. It allowed me to parse out the areas I needed to focus in on. Then I grabbed my other toolchest and set to work. It and the other forensic tips from you in particular have really helped me pick apart the system and come up with a solid timeline of activity and events. I'm grateful. I'm not sure it will make daylight on my blog due to the nature, but I hope to post some particular lessons learned in the near future related to one or two particular area of focus.<br /><br />Cheers!<br /><br />--Claus V.Claushttps://www.blogger.com/profile/11692921474310162470noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85810164746777792952009-09-09T14:45:00.030-05:002009-09-09T14:45:00.030-05:00...I think that validation also needs to go to the...<i>...I think that validation also needs to go to the meaning or interpretation of the data, in addition to a determination that the corrrect data were found.</i> <br /><br />I agree 100%. However, I think that there is always going to be an issue with this. Even with training or documentation (and references) for this, someone will walk away from the training and not touch an item for weeks. Then, after having not used it, they'll be in a position where they need the information and don't remember it correctly. This happens <b>all</b> the time with the USB stuff <a href="http://www.posthumorous.com" rel="nofollow">Cory</a> and I did a while back, and I still find the same thing to be true, even with people who have <i>WFA 2/e</i>.<br /><br /><i>For instance, there's been some misinterpretation of whether data in the SAM hive means that a password is required of a given user.</i><br /><br />Right, and I received some info from MS in that regard and posted it to my blog.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-48810599462892943232009-09-09T13:04:36.566-05:002009-09-09T13:04:36.566-05:00I think that everyone does have to do tool verific...I think that everyone does have to do tool verification to some extent. That doesn't mean reverse engineering FTK, but it may mean running companion tools side by side and going into an image with a hex editor to verify the results. For example, I just found some errors in a new tool in regard to the offsets at which it reported Internet data. That's not only important for obvious reasons, but it helps the publisher, too. <br /><br />XWF puts out a variety of registry reports and is configurable. It can be used in conjunction with RegRipper. In regard to the registry, as well as topics discussed recently on the list (USB, link files), I think that validation also needs to go to the meaning or interpretation of the data, in addition to a determination that the corrrect data were found. For instance, there's been some misinterpretation of whether data in the SAM hive means that a password is required of a given user.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58707472731497405522009-09-09T09:35:40.693-05:002009-09-09T09:35:40.693-05:00Guys, thanks for the comments...
...I noticed tha...Guys, thanks for the comments...<br /><br /><i>...I noticed that it does not process VISTA or WIN7 OpenSaveMRU keys correctly.</i><br /><br />See, that's the cool thing about RegRipper...Perl's free, and the plugins are open source, so if something doesn't work the way you want it to, you can always modify it.<br /><br /><i>I wish more people actually did tool verification. </i><br /><br />Agreed, but IMHO, there are a number of issues at play here. First, I don't think that there's a clear, solid understanding across the community of what comprises "verification". Second, not every can...or should have to...do tool verification. There needs to be clear documentation available for the process and results to tool verification available to everyone. Otherwise, we all do this verification and no one is left to actually do the work that needs to be done!<br /><br />We do need more hands on deck, I agree, but we also need the folks that are doing the work now to collaborate and share. When you've got a couple of disparate groups working toward the same goal, you're likely to get better results faster if they collaborate and share information. <br /><br />Finally, not everyone in the community is going to be able to do or take part in research, but pretty much everyone will want to be consumers of that information. As such, there should be community-wide support for the research. Right now, there isn't...it's really much more of a "gimme" attitude. Support the research and it'll be better, more complete and arrive faster.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-8561883341352122542009-09-09T08:59:08.445-05:002009-09-09T08:59:08.445-05:00I am in full support of tool verification. Nevert...I am in full support of tool verification. Nevertheless, in order to verify a tool, you need to know what the correct output should be. In addition, that cannot be done by comparing TOOL A to TOOL B. You need to understand the fundamentals and do be able to do it by hand.<br /><br />For example, when using RegRipper, I noticed that it does not process VISTA or WIN7 OpenSaveMRU keys correctly. It was not that it was programmed incorrectly, that it had not been implemented yet. I gave Harlan a heads up and he added it to the plugin. <br /><br />I wish more people actually did tool verification. Secretly, I wish more people did original research as well. We need more hands on deck. There are artifacts yet to discover.<br /><br />Verify what someone writes in a book, blog, or teaches in a class such as SANS. "Trust, but verify." (Ronald Reagan taught us that with the USSR.)<br /><br />Not only does it make you better. It makes us all better as well. No one has it all figured out.<br /><br />Though I try to double check personally everything we teach, mistakes are made. How often has FTK or ENCASE been patched/updated? Do you really believe they had it all figured out at version 1.0? To truly verify, you have to see it yourself. <br /><br />Trust, Verify, Research.<br /><br />Rob Lee<br />SANS InstituteRob Leehttps://www.blogger.com/profile/06831677721936003773noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1615499555297382892009-09-09T08:35:59.002-05:002009-09-09T08:35:59.002-05:00Harlan, this is an excellent point you posted whic...Harlan, this is an excellent point you posted which I fully concur with you. I am a proponent for tools verification too.<br /><br />Felixsnopboy88https://www.blogger.com/profile/15682744870048804448noreply@blogger.com