Pages

Wednesday, May 20, 2009

Giggity giggity

I know, interesting post title, right...just couldn't come up with anything witty...sorry.

Well, Rob Lee ran us (me, Chris Pogue, and David Hull) through the SANS Essential Incident Response WebCast yesterday, and two out of three panelists agree that Cory Altheide is THE indispensable incident response tool! The mini-panel was a lot of fun and I hope folks listening to it take it as a harbinger of things to come this summer at the Summit.

Speaking of conferences, I ran across SecureArtisan's comments (day 1, day 2, day 3) from attending the CEIC Conference. It appears that there were some interesting presentations, some of which may have been interesting in title only. Reading through his comments, I have to agree with some of them from my own experiences, as this is why I've stopped trying to attend some conferences. What have you seen?

Also, I wanted to share some comments (posted with the author's permission) I've received lately from folks regarding tools...the first is from Brian Perkins, who said:

I just wanted to drop you a quick note regarding a recent success story using your FRUC client and the FSP Server. One of the data points I collect is autorunsc.exe –a. With this collection of data I was able to identify the malicious software in a matter of minutes even before acquiring an image. I have made great use of your FRUC client and server to the point that it serves as my first tool to deploy for Incident Response, and it now sits at the core of my Forensic Investigation Protocol . Getting the volatile data first and then the static data (hdd image) second is my order of priority. Using your tools has made my time well spent when as we all know how efficient a tools performs depends upon its success. Now I going to let Reg Ripper have a go at the hives!

If you remember, the FSP is one of the tools available on the DVD that accompanies the first edition of Windows Forensic Analysis (and yes, it is on the DVD with the second edition, as well).

The second comment is from Ian Hutchison, and has to do with the rp.pl Perl script that I mentioned in a previous post; Ian asked for a copy and ran it after I sent it, and this is what he had to say:

I ran this and it chewed threw 114 restore points in less than a second. That would have taken me hours if not days to do manually, and seriously messed with my sanity.

I want to thank both Brian and Ian for their comments, and for allowing me to post them. While it's nice to see comments like this out in public view, more than anything else, these comments show that there are folks out there looking for answers in other areas of a system or an image aside from just the file system, and moving beyond the traditional, purist approach to computer forensic analysis.

No comments:

Post a Comment