tag:blogger.com,1999:blog-9518042.post2988550468377905695..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Doing AnalysisUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-3384234059788743092015-12-23T08:48:51.929-05:002015-12-23T08:48:51.929-05:00@Anonymous...
Do you have examples? What are you...@Anonymous...<br /><br />Do you have examples? What are your recommendations regarding detecting and/or analyzing systems under these circumstances?<br /><br />I look forward to your input. Thanks, and have a very Merry Christmas!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39793377213234125182015-12-23T08:46:46.347-05:002015-12-23T08:46:46.347-05:00Keep in mind that more and more of new malware del...Keep in mind that more and more of new malware deletes shadow copies if found...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39034874437707658502015-12-06T06:46:34.695-05:002015-12-06T06:46:34.695-05:00@Jared,
It's important for other analysts to ...@Jared,<br /><br /><i>It's important for other analysts to hear the stories about how our work is being done.</i><br /><br />I often hear from other analysts that this is what they want to see/hear, but what I do not see happening is other analysts sharing this sort of thing. There is a very small handful of people that take the few minutes to write this sort of thing up. <br /><br />In the past, I've offered to "host" guest posts here, letting folks write up what they wanted to share, and either posting it under their name or anonymously off of my blog. That offer still stands. <br /><br />I even <a href="http://windowsir.blogspot.com/2014/10/wrf-2e-contest.html" rel="nofollow">offered to do that with my book</a>, but unfortunately only got one taker. <br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85155122748550117382015-12-05T09:12:28.401-05:002015-12-05T09:12:28.401-05:00Harlan, this is a great post. I like how you set o...Harlan, this is a great post. I like how you set out your goals and explained your analysis process along with tools that were leveraged. It's important for other analysts to hear the stories about how our work is being done. Far too often broad concepts are discussed the the technical details are omitted.<br /><br />Thank you,<br />Jared<br /><br />Jared Greenhillhttps://www.blogger.com/profile/09183928416232849587noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-38879182198465207632015-12-01T13:31:29.276-05:002015-12-01T13:31:29.276-05:00James,
Thanks, that's pretty interesting stuf...James,<br /><br />Thanks, that's pretty interesting stuff from David. H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-17776662015813922842015-12-01T10:58:35.878-05:002015-12-01T10:58:35.878-05:00Nice Write-up! I also have not seen any computers ...Nice Write-up! I also have not seen any computers lately with VSC enabled. On top of that, I keep seeing computers with prefetch disabled as well. Such a great resource of information.<br /><br />I typically use the timeline as a backup to other artifacts. It has served me well and it's how my brain works. I will have to give this a try, though, and go with the timeline first on my next case to see how it works for me. Thanks for sharing!<br /><br />For working with VSC images, check out David's blog on automating the access. It saves you from having to run all these commands to convert.<br />http://www.hecfblog.com/2015/05/automating-dfir-how-to-series-on_25.htmlJames Habbenhttps://www.blogger.com/profile/10362838866285956520noreply@blogger.com