tag:blogger.com,1999:blog-9518042.post115045847302274652..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Case IssuesUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-1150790354127315632006-06-20T02:59:00.000-05:002006-06-20T02:59:00.000-05:00You can use Diskprobe which comes as a part of the...You can use Diskprobe which comes as a part of the Microsoft Support Tools. It's a Disk-Editor, as far as I know no need to install, has a small footprint (~90 KB executable + some windows builtin dlls) and has the ability to search at the physical disk level, ascii and unicode supported. One drawback is that if you want to search unicode & ascii you have to search twice, it's either unicode OR ascii ...<BR/><BR/>chrisAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1150525986105047282006-06-17T01:33:00.000-05:002006-06-17T01:33:00.000-05:00Whilst new to the world of computer forensics (onl...Whilst new to the world of computer forensics (only been doing it now for a little over 12 months as a LEO), I note that apart from Encase Enterprise, and Prodiscover Incident Response (both two very expensive solutions) I have not located a tool that lets you conduct a text search of a live windows system at a physical disk level (ie. across active, deleted and unallocated disk space). <BR/><BR/>Attending warrants where it is not feasible to shut down an enterprise server, but still needing to conduct a search at the physical level to identify evidence meeting the terms of the warrant (hence permitting imaging of the server), I am suprised that no simple grep/command based tool exists that could be contained on a CD/Thumbdrive. Obviously such a tool would have to leave a minimal footprint, be windows/DOS based and minimise changes to system (such as MAC dates). <BR/><BR/>Please correct me if such a tool does exist.<BR/><BR/>Regards, <BR/><BR/>Rob.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1150489346861856412006-06-16T15:22:00.000-05:002006-06-16T15:22:00.000-05:00du212,Some of those sound really interesting. I w...du212,<BR/><BR/>Some of those sound really interesting. I wish you had time to elaborate on some of them.<BR/><BR/>HarlanH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1150485456025606252006-06-16T14:17:00.000-05:002006-06-16T14:17:00.000-05:00This would be a good book topic and I certainly wo...This would be a good book topic and I certainly wouldnt mind reading a book with example case studies...<BR/>Alas, I dont have the time (at the moment) to write further, i will comment the following outline for consideration:<BR/><BR/>Case of the Encrypted Disk<BR/>Case of the Wiped Drive<BR/>Case of the Backdated Word Doc<BR/>Case of the Pwd Protected Ediscovery Files<BR/>Case of the External USB Drive<BR/>Case of the 4 SATA 250 gig Drive Acquisition<BR/>Case of the Event Log-VPN connection Intrusion<BR/>Case of the Foreign Language Conversion<BR/>Case of the NSF to PST production<BR/>Case of the Metadata ediscovery search<BR/>Case of the Macintosh Analysis<BR/>Case of the Suspected Porn Review<BR/>Case of the Email Delta Production<BR/>Case of the Last User Activity<BR/>Case of the Emptied Recycle Bin<BR/>Case of the Web Access IntrusionAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1150478822593546612006-06-16T12:27:00.000-05:002006-06-16T12:27:00.000-05:00Legal handing over a box of Fedex-ed laptop for fo...Legal handing over a box of Fedex-ed laptop for forensic review.<BR/><BR/>Box torn open, and they tell me they could not find anyting on it... They turned it on, and "checked it" with Windows built-in search...Anonymousnoreply@blogger.com