tag:blogger.com,1999:blog-9518042.post6990676500390911690..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Hosted TrainingUnknownnoreply@blogger.comBlogger11125tag:blogger.com,1999:blog-9518042.post-70870211991525641702013-02-18T16:12:51.794-05:002013-02-18T16:12:51.794-05:00Dave,
Thanks. I was simply honoring your license...Dave,<br /><br />Thanks. I was simply honoring your license agreement, as it is stated. A training course is a commercial effort.<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6202517383278707232013-02-18T15:49:21.491-05:002013-02-18T15:49:21.491-05:00Just to be clear, TZWorks has not denied any cours...Just to be clear, TZWorks has not denied any course the use of their tools to be used as part of the curriculum, when it is for educational purposes. All you need to do is ask, so we are aware.Dave Tomczakhttps://www.blogger.com/profile/16732013050869064417noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-7932386198139364982013-02-18T10:07:59.763-05:002013-02-18T10:07:59.763-05:00Jumping into the conversation as you bring up a ve...Jumping into the conversation as you bring up a very valid point.<br /><br />Totally agree with you Harlan -- it would be an integrity issue to use something that you didn't pay for if you are charging for it.<br /><br />The nice folks at TZWorks gave SANS permission to use it in our training courses as demonstration of artifacts and allow the students to work with their software so that the students can evaluate it. <br /><br />We have a similar relationship with Magnet Forensics (IEF), AccessData (FTK), and Guidance Software (EnCase). We also demonstrate, in most cases, an open source or freeware option as well so the student will be able to make a decision on their own.<br /><br />Perhaps, if you think the tool is valuable you might reach out to the vendor and ask permission. The vendors usually like the exposure during a class. The students like testing which capability seems to work the best. <br /><br />Anyway... just a thought.<br /><br />Best,<br />Rob<br /><br />Rob Leehttps://www.blogger.com/profile/06831677721936003773noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75729192223119442122013-02-17T13:10:24.899-05:002013-02-17T13:10:24.899-05:00Those with the licenses that state that they canno...Those with the licenses that state that they cannot be used for commercial purposes.<br /><br />For example, TZWorks includes this information in their license agreement:<br /><br />"... is for non-commercial personal use ONLY."<br /><br />I know a lot of people ignore this stuff, but as I read it, teaching a course or giving a presentation for which I get paid is not personal, but commercial use.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65798843727483337522013-02-17T13:01:43.179-05:002013-02-17T13:01:43.179-05:00Which tools are you not allowed to go in-depth due...Which tools are you not allowed to go in-depth due to their licenses? Greg Pnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-50833448122196857152013-02-13T18:10:41.601-05:002013-02-13T18:10:41.601-05:00Greg,
Again, the objective of the course is to p...Greg, <br /><br />Again, the objective of the course is to provide analysts with an understanding of what artifacts are available, and how they can be used to provide detail, context, and increased relative confidence in the data. I use my own tools solely for the purpose of demonstrating the data that is available and how it can be used. My hope is that by engaging, I can help analysts develop an understanding of the data that is available, so that they can better use the tools of their choice. I don't want analysts to run a tool and accept the output...rather, it's better for analysts to understand what *should* be there, so that they can recognize when something *isn't* there that should be.<br /><br />If that would be useful to you, then the answer to your question would be, "yes". <br /><br />However, there are some tools for which we don't go into depth, in part because the licenses specifically state that they can't be used for commercial purposes. <br /><br />If you want to use l2t, that's fine. It's a great tool. I happen to incorporate a great deal of Registry, Jump List, and now *.idx file metadata into my timelines, where appropriate.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54378718132305308762013-02-13T18:10:37.993-05:002013-02-13T18:10:37.993-05:00Greg,
Again, the objective of the course is to p...Greg, <br /><br />Again, the objective of the course is to provide analysts with an understanding of what artifacts are available, and how they can be used to provide detail, context, and increased relative confidence in the data. I use my own tools solely for the purpose of demonstrating the data that is available and how it can be used. My hope is that by engaging, I can help analysts develop an understanding of the data that is available, so that they can better use the tools of their choice. I don't want analysts to run a tool and accept the output...rather, it's better for analysts to understand what *should* be there, so that they can recognize when something *isn't* there that should be.<br /><br />If that would be useful to you, then the answer to your question would be, "yes". <br /><br />However, there are some tools for which we don't go into depth, in part because the licenses specifically state that they can't be used for commercial purposes. <br /><br />If you want to use l2t, that's fine. It's a great tool. I happen to incorporate a great deal of Registry, Jump List, and now *.idx file metadata into my timelines, where appropriate.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-14331100805917668212013-02-13T17:51:48.786-05:002013-02-13T17:51:48.786-05:00So if you are tool neutral, do you only teach your...So if you are tool neutral, do you only teach your own timeline tools then? What if I wanted to use log2timeline instead, would your class still be applicable or useful? Greg Pnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-67684229025321046892013-02-13T16:14:09.307-05:002013-02-13T16:14:09.307-05:00This post covers, in a good bit of detail, what...<a href="http://windowsir.blogspot.com/2013/01/training.html" rel="nofollow">This post</a> covers, in a good bit of detail, what's in the course. The objective is to provide analysts with an understanding of what artifacts are available and how they can be used to provide detail and context for exams. The idea of the course is to demonstrate how powerful timelines can be as an analysis methodology, and allow the analyst to determine which tools are best for the job.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-19046829211357909482013-02-13T14:10:03.269-05:002013-02-13T14:10:03.269-05:00No, sir.No, sir.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37460911735981411532013-02-13T13:58:03.791-05:002013-02-13T13:58:03.791-05:00Do you teach log2timeline in your Timeline Analysi...Do you teach log2timeline in your Timeline Analysis training?Greg Pnoreply@blogger.com