tag:blogger.com,1999:blog-9518042.post3635249011740901731..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Random StuffUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-25811743519570091442014-07-15T12:40:29.651-05:002014-07-15T12:40:29.651-05:00The part on host-based analysis reminded me of the...The part on host-based analysis reminded me of the memory hierarchy from computer science that's used to cache data for quicker access, which is clearly relevant to DFIR (e.g. Order of Volatility).<br /><br />Where CS uses the memory hierarchy to cache data for an increase in performance, it's important for forensicators to use caches to increase evidence. Maybe you can't capture full content PCAPs, but you can probably capture NetFlow and other network logs. Similarly on the host, by using Event Logs, Carbon Black, custom scripts, etc., you can control the memory hierarchy and store the cache for as long as you like by bringing volatile data to disk.Adamnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-33257286171666807522014-07-15T05:38:42.808-05:002014-07-15T05:38:42.808-05:00Daniel,
Thanks for the comments.
... implementi...Daniel, <br /><br />Thanks for the comments.<br /><br /><i>... implementing a tuned windows event log policy can be of great value...</i><br /><br />Yes, of course, I agree with you on that...but the fact is that few organizations do this, particularly on workstations. <br /><br />I do agree that more response activities need to be based on a thoughtfully considered subset of files...and that getting to that point requires education and experience.<br /><br /><i>In regards to mentoring, it is very limited maybe due to trust?</i><br /><br />My thought is that "trust" is too nebulous a term...I think that it's more a fear of being exposed, or having to expose what you're doing. Think about it...who wants to find out that the work that they've been doing could have been done faster and more completely using another process, that what they provided in their report that was based on assumption and speculation could have easily been verified? <br /><br /><i>...that there is a missed opportunity for improvement.</i><br /><br />I think that inherent to that is the need to accept the fact that something could be improved.<br /><br /><i>...your reporting chapter has really helped me shape up my reporting format...</i><br /><br />Thanks for sharing that...I'm glad to hear that. I validates my original thoughts regarding including it.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57538207201056470742014-07-14T22:34:15.852-05:002014-07-14T22:34:15.852-05:00Great points Harlan, I would like to add that impl...Great points Harlan, I would like to add that implementing a tuned windows event log policy can be of great value such as turning things on like process auditing, object access (this one is tricky). using event log data and information from the registry hives as well as the user hive and MFT and then taking a layered approach can reveal suspicious activity from just these sources. using this "lightweight forensics" technique can allow responders to be quicker in triaging and investigating systems.<br /><br />In regards to mentoring, it is very limited maybe due to trust? i agree with your points that there is a missed opportunity for improvement.<br /><br />lastly, your reporting chapter has really helped me shape up my reporting format when i've been called upon to compile a report based on findings, especially the timeline analysis section. kudos43nsicbothttps://www.blogger.com/profile/10129306415286340173noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-83139266049403604132014-07-10T15:38:47.081-05:002014-07-10T15:38:47.081-05:00Ken,
Thanks for the comment.
... every organizat...Ken,<br /><br />Thanks for the comment.<br /><br /><i>... every organization has its own reporting requirements...</i><br /><br />I'm not sure that's the case. While I do know that there are specific formatting requirements when it comes to PCI forensic analysis reports, for the most part, I haven't seen any such reporting requirements at companies I have worked for, nor at those I've been associated with through other means. For the most part, my impression has been that this is a pretty ad hoc process.<br /><br /><i>I'm not sure how such a thing could be set up...</i><br /><br />I'm not sure that you have to wait for something to be set up. I would suggest that the way to go about this is to consider what it is you'd like from such a relationship, what you're willing to give or put into it...and then ask someone. I really think it's that simple.<br /><br />Again, thanks for the comment. H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43217552188832375342014-07-10T15:16:31.483-05:002014-07-10T15:16:31.483-05:00First, I wanted to say how glad I was to see the c...First, I wanted to say how glad I was to see the chapter on reporting in WFA4e. Reporting is something that no courses seem to teach to any great extent, probably because every organization has its own reporting requirements and no course can teach them all. Still, you did a great job in the book teaching the basics of what's needed.<br /><br />Also, regarding mentoring, I really like the idea. Those of us in positions like mine, where you aren't taking on a new CF case every day could really use the support and instruction of a mentor. I'm not sure how such a thing could be set up, but I think there is merit in the idea.<br /><br />KenKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.com