tag:blogger.com,1999:blog-9518042.post3777646187171695791..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: New Year's ResolutionsUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-70319962325438262272007-01-05T09:41:00.000-05:002007-01-05T09:41:00.000-05:00I'll bet more advances have been made over a beer ...<i>I'll bet more advances have been made over a beer in all facets of human endeavor than anything else...</i><br /><br />Without a doubt! Case in point...<a href="http://leathernecklane.com/marine/history/history.htm">Tunn Tavern</a>.<br /><br />Jump forward to <a href="http://en.wikipedia.org/wiki/Battle_of_Belleau_Wood">Belleau Wood</a>, June, 1918...two German machine gunners sitting in a fighting hole, sharing a brew. One says to the other, "Hey, what should we call these guys, these "marines"?"<br /><br />The other says, "How about 'Teufelhunde'?"<br /><br />;-)H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68502765266784224082007-01-05T08:46:00.000-05:002007-01-05T08:46:00.000-05:00I'll bet more advances have been made over a beer ...I'll bet more advances have been made over a beer in all facets of human endeavor than anything else...<br /><br />"Also, I think that there are a lot of folks out there who are afraid to fail.."<br /><br />True, we all have that instinct up to a point, a hero isn't the guy that has no fear, a hero is the guy that acts in spite of his fear. We need some good old fashioned military type discipline and go gettum.<br /><br />It's easy to jumpp on the CF bandwagon, it's something else to advance the science.Bill Ethridgehttps://www.blogger.com/profile/17230876888240813452noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37869240717536078742007-01-05T07:36:00.000-05:002007-01-05T07:36:00.000-05:00...it will be a matter of getting it admitted by f...<i>...it will be a matter of getting it admitted by fair judges who will look at the documentation and methods and decide they are sound</i><br /><br />And it is up to us, as the examiners and first responders to ensure that the documentation and methods are sound. Also, I think that there are a lot of folks out there who are afraid to fail...afraid to make the attempt at the risk of getting shot down. When the sun sets, remember Thomas Edison didn't the light bulb right the first time.<br /><br /><i>The big picture has to change... to knowing the nuts and bolts of the OS's and file systems...</i><br /><br />Agreed. The information is out there and it's ridiculously easy to come by. You can even get it by going to one of the social networking events like <a href="http://novasec.blogspot.com">NoVASec</a> or even just grabbing a beer with someone.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-62271899851955644732007-01-05T07:01:00.000-05:002007-01-05T07:01:00.000-05:00Good resolution, it's like DNA, it was always ther...Good resolution, it's like DNA, it was always there, ust took advancement of science and methodology to identify it as a useful forensic item, the accepatance in legal system as valid, now hardly a physical crime goes by that doesn't include DNA evidence. We have to find our DNAs.<br /><br />I would like to see the move to more live acquisitions for couple of reasons. Use of encryption is becoming more commonplace. Any CF examiner who shuts down a system without first checking to see if FDE is being used is going to be in for some rude surprises after the image is made. Also, performing just a dead system analysis is somewhat akin to performing an autopsy when the brain has been removed from the body. As far as the courts go, it will be a matter of getting it admitted by fair judges who will look at the documentation and methods and decide they are sound. BUT, if no one tries and performs none of these, they will never be seen as "normal" or "acceptable".<br /><br />I know it's hard for me to setup lab time to practice new ideas or find new registry keys to look at etc, when I have billable time I could put in, BUT it's a price I have to pay to be able to advance my abilities. The big picture has to change from third party forensic tool use, to knowing the nuts and bolts of the OS's and file systems we analyze so we even know what we are capable of proving.<br /><br />Oh yeah, I forgot, my NY resolution was to not get on a soapbox this year. Oh well.....Bill Ethridgehttps://www.blogger.com/profile/17230876888240813452noreply@blogger.com