tag:blogger.com,1999:blog-9518042.post1839260543847472359..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Stuff, ReloadedUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-76435606055150837262011-11-17T19:29:23.104-05:002011-11-17T19:29:23.104-05:00Andrew,
I assume you will be attending this one....Andrew, <br /><br /><i>I assume you will be attending this one...</i><br /><br />Eesh, I don't know. At this point, I'm simply concerned with getting through my presentation! ;-) Also, it's in the IA track...does that mean that it won't be heavily technical?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89343952806026973582011-11-17T15:15:07.976-05:002011-11-17T15:15:07.976-05:00The DOD conference looks insane... I may have to p...The DOD conference looks insane... I may have to plan out which tracks I want to see for once. <br /><br />I assume you will be attending this one on Wednesday: "Registry Analysis for Network Intrusions"? Sounded interesting to me at least.Andrew Casehttps://www.blogger.com/profile/11014708860635242525noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75894799505988953732011-11-17T04:27:23.428-05:002011-11-17T04:27:23.428-05:00Hi Harlan,
In terms of using the IOCFinder I have...Hi Harlan, <br />In terms of using the IOCFinder I have used Memoryze\AuditViewer to review a memory sample.Build a IOC using mandiants IOCEditor then run the IOC against the xml output from multiple Memoryze\Auditview audits to see if other samples were compromised.<br /><br />Excellent post as always.cbentle2noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-3486226185510998722011-11-16T22:01:48.725-05:002011-11-16T22:01:48.725-05:00I think MAEC was invented to fill the intel sharin...I think MAEC was invented to fill the intel sharing gap. Vendors haven't really adopted it yet though. http://maec.mitre.org/clintnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53421554148060349892011-11-16T16:52:40.705-05:002011-11-16T16:52:40.705-05:00I've had some thoughts on this, but I'm no...I've had some thoughts on this, but I'm not sure if I want to share them with someone who doesn't want to sign their posts.<br /><br />Thanks for commenting.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-14981306515628210302011-11-16T15:57:03.797-05:002011-11-16T15:57:03.797-05:00"I write all of my tools to normalize the tim..."I write all of my tools to normalize the time stamps to 32-bit Unix time format"<br />FLS and TimeScanner both do this as well. Win32 datetimes has a granularity of .001 sec while Unix time only has a granularity of 1 sec. Would it not also be helpful during timeline analysis, and especially during anomaly detection, to maintain that higher level of accuracy?Anonymousnoreply@blogger.com