tag:blogger.com,1999:blog-9518042.post8917997107739941968..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Thoughts on Analysis, Information Sharing, and PresentationsUnknownnoreply@blogger.comBlogger11125tag:blogger.com,1999:blog-9518042.post-22277020680921474802010-11-03T08:52:38.152-05:002010-11-03T08:52:38.152-05:00Sure did...in person, and in my blog.
Re: Cookboo...Sure did...in person, and in my blog.<br /><br />Re: Cookbook...I was writing in third person referring to myself..I'm awaiting my copy of Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code from Amazon.newinforensicshttps://www.blogger.com/profile/07687458975346089486noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-40791466246590955102010-11-03T08:50:53.608-05:002010-11-03T08:50:53.608-05:00This comment has been removed by the author.newinforensicshttps://www.blogger.com/profile/07687458975346089486noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-51575772496083183862010-11-03T07:52:40.483-05:002010-11-03T07:52:40.483-05:00I'm glad you liked Chris's presentation......I'm glad you liked Chris's presentation...have you said that to him?<br /><br /><i><br />...another anxious reader awaiting his Cookbook.</i><br /><br />Who's? Chris is writing a cookbook?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-19056648459338840972010-11-02T22:13:18.150-05:002010-11-02T22:13:18.150-05:00I could not agree more with your comments. Five ye...I could not agree more with your comments. Five years ago - it was turn off, image and analyze. Today it's acquire RAM, acquire volatile data, identify key areas to image/acquire and image using F-Response. Wow, keeping up with change :) <br /><br />Earlier today I was mentioning to a colleague that I tend to START my analysis with RegRipper, and a rough timeline analysis based on the facts provided by the investigator. Both these techniques give me a visual snapshot of what has occurred on the system, and in the end, save me time on my analysis. I've even been known to virtually boot at the start of my investigation (MIP/FTKImager and VFC) to gain the benefit of visualizing the system, programs and their individual settings. I realize this may sound strange to some.<br /><br />ps...I've heard from at least two attendees who heard Chris P at Sector. Darn, sounds like it was even better than the Forensic Summit in DC :) You're onto something Chris!!<br /><br />...another anxious reader awaiting his Cookbook.newinforensicshttps://www.blogger.com/profile/07687458975346089486noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-30748336999659700592010-11-02T13:49:26.049-05:002010-11-02T13:49:26.049-05:00Was that the CCE list? Byes it was the CCE List.Was that the CCE list? Byes it was the CCE List.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65320537693304070012010-11-02T13:15:31.696-05:002010-11-02T13:15:31.696-05:00...much like WFA 2/e......much like WFA 2/e...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-8131482122161710522010-11-02T12:49:56.086-05:002010-11-02T12:49:56.086-05:00One of the best books I've ever read was The T...One of the best books I've ever read was <i>The Tao of Network Security Monitoring</i>. It showed how much fun analyzing communication could be. Now <i>The Malware Analyst's Cookbook</i> is doing the same thing for malware. Both books show many free tools and techniques that can be used to detect incidents. I wouldn't be surprised if <i>Windows Registry Forensics</i> was another eye opener for me. :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-31503380230209892632010-11-02T10:59:40.870-05:002010-11-02T10:59:40.870-05:00Shanna,
Agreed.
FYI...RegRipper works very well ...Shanna,<br /><br />Agreed.<br /><br />FYI...RegRipper works very well over F-Response. <br /><br />I'm still waiting on my copy of the Cookbook... ;-(H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-62968883569124027412010-11-02T10:47:31.109-05:002010-11-02T10:47:31.109-05:00In my environment, if I'm turning to RegRipper...In my environment, if I'm turning to RegRipper for malware analysis, it's usually a post mortem exam. If the machine is up and I'm trying to clean it, I'm usually working with autoruns/autorunsc and other tools from Sysinternals.<br /><br />But whatever the tool, I agree that it is incredibly important to understand how malware uses the Registry to gain a foothold and know what signs to look for. If one learns to recognize anomalies, then the techniques you describe *aren't* just for the malware we know about. <br /><br />From reading forums and such, it's a little surprising to me how many examiners seem to rely solely on some combo of AV scanners to decide if a system is clean.<br /><br />I just got my copy of the Cookbook last night. It looks like a fun book!Shannanoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-50501301725420834282010-11-02T09:41:58.206-05:002010-11-02T09:41:58.206-05:00Was that the CCE list? If it was, I saw the same ...Was that the CCE list? If it was, I saw the same thing...and I did try to see what had turned the poster off to RegRipper. <br /><br />Thanks for your comment.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-8914075820404458162010-11-02T06:32:45.025-05:002010-11-02T06:32:45.025-05:00Nice post Harlan. I recently made a comment on a l...Nice post Harlan. I recently made a comment on a list server to a fella that wanted a recommendation the "best scanner" for malware. I recommended "Reg Ripper" for this analysis. Needless to say, this fella was quite confused by my response and shot the idea down to some extent. Poor fella, doesn't realize what he's missing. Keep up the great work.Anonymousnoreply@blogger.com