tag:blogger.com,1999:blog-9518042.post1960998240958866657..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Adding Value to TimelinesUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-77870590132395921962012-07-31T05:44:44.853-05:002012-07-31T05:44:44.853-05:00francesco,
Probably it's a defensive approach...francesco,<br /><br /><i>Probably it's a defensive approach...</i><br /><br />I have no problem whatsoever with having a reason to add events to a timeline. <br /><br />For example, let's say that I have a system with three user accounts, and I know that the event in question occurred three months ago. If one of the user accounts was used to set up the system, and had not been logged into nor accessed in another way in three years, I might not want to add data from that profile to the timeline.<br /><br /><i>...could make me missing something during events reconstruction.</i><br /><br />I'd suggest that it's more important to look at your toolset, rather than the overall amount of data that you're adding. Are your tools capable of extracting the data that is available?<br /><br />When I said that it's a data reduction technique, what I meant was, you can go from a 500GB hard drive to about 1 GB (or less) of overall data to look at.<br /><br />Thanks for your comments.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-17136708912638938132012-07-31T04:24:40.962-05:002012-07-31T04:24:40.962-05:00I agree entirely with you. Categorizing Events is ...I agree entirely with you. <i>Categorizing Events</i> is invaluable for the analysis. Moreover <i>do once use many times</i> is always a winning approach.<br /><br />"<i>Timeline analysis is a form of data reduction, and adding events to our timeline, for it's own sake, is moving away from that premise</i>"<br /><br />Probably it's a defensive approach but I prefer to create timelines with all information I can get. Then by using an <i>entry point</i> (a timestamp, an <i>indicator</i> of something) I start analyzing the timeline filtering out (thus reducing) useless entries. I fear that getting data reduction when creating timelines (and not when analyzing them) could make me missing something during events reconstruction.<br /><br />More precisely I usually create a global timeline (all in) and "local" timelines (file system, log files, logged user, etc.) which I mix if there is the need.dfirfpihttps://www.blogger.com/profile/03049845283204583443noreply@blogger.com