tag:blogger.com,1999:blog-9518042.post7297802913363595227..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: SANS Forensic SummitUnknownnoreply@blogger.comBlogger13125tag:blogger.com,1999:blog-9518042.post-71158446046995027892009-03-16T06:25:00.000-05:002009-03-16T06:25:00.000-05:00Thanks for this nice post.Thanks for this nice post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-73977693690627242392009-01-13T08:11:00.000-05:002009-01-13T08:11:00.000-05:00ur blog Is very nice Small business website desig...ur blog Is very nice<BR/><BR/><BR/><BR/><BR/><BR/><A HREF="http://www.creativewebsitedesigner.com" REL="nofollow"> Small business website design </A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-71471334386648138462009-01-13T08:10:00.000-05:002009-01-13T08:10:00.000-05:00nice postnice postAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-88272102893744735312008-10-21T16:09:00.000-05:002008-10-21T16:09:00.000-05:00Darren is the guy that got the job of cleaning up ...Darren is the guy that got the job of cleaning up Cory's old documentation ;)<BR/>You can find me on #volatility<BR/><BR/>I'm pushing to be able to release what I have at the moment, but I'm trying to merge my analysis framework into something sensible like pyflag so I can avoid a lot of the heavy lifting they have solved. <BR/>The current stuff converts everything into a mactime-esque format and then allows working with the results.<BR/><BR/>Zeitline looks good, it offends my C/python sensibilities, but I guess can get past that :)shamhttps://www.blogger.com/profile/11852215857042869903noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42446752623859661242008-10-16T15:28:00.000-05:002008-10-16T15:28:00.000-05:00Who is "Darren"?Who is "Darren"?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-80354320414992779022008-10-16T15:17:00.000-05:002008-10-16T15:17:00.000-05:00Darren,I met with AAron Walters afterward to discu...Darren,<BR/>I met with AAron Walters afterward to discuss my desire to create a time-stamp timeline, my idea was that it be perhaps Web-based, like a language translator--paste the text and hit a button that translates your time-stamps into a visual timeline. Aaron suggested I contact/read <A HREF="http://projects.cerias.purdue.edu/forensics/timeline.php" REL="nofollow">Florian Buchholz'</A> work on Zeitline. Let me know if you'd like to work together, as I'd be starting from scratch.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-69178568545363903302008-10-16T10:22:00.000-05:002008-10-16T10:22:00.000-05:00I was still miserable b/c you weren't there, CoreE...I was still miserable b/c you weren't there, CoreE.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42228785432814302682008-10-16T10:15:00.000-05:002008-10-16T10:15:00.000-05:00I was hoping you would all get dysentery or someth...I was hoping you would all get dysentery or something and be miserable since I was unable to attend.<BR/><BR/>Sorry to hear you had such a good time.Coryhttps://www.blogger.com/profile/05367533723667525908noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-47676892654006244282008-10-16T08:13:00.000-05:002008-10-16T08:13:00.000-05:00I'll see what I can do...it's not mine to post...i...I'll see what I can do...it's not mine to post...it's IBMs...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26662663235397855102008-10-16T08:08:00.000-05:002008-10-16T08:08:00.000-05:00Harlan,Will you be making your presentation availa...Harlan,<BR/>Will you be making your presentation available anywhere?hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68940896744757022332008-10-16T05:21:00.000-05:002008-10-16T05:21:00.000-05:00Darren,Any chance of getting that, or some part of...Darren,<BR/><BR/>Any chance of getting that, or some part of it posted somewhere?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-22899966572844863762008-10-16T03:26:00.000-05:002008-10-16T03:26:00.000-05:00Doing the timeline for registry is really valuable...Doing the timeline for registry is really valuable. I'm currently doing that in an IR tool I am working on. <BR/>It collects via WMI, processes, software installs, file system, prefetch and registry etc etc. On analysis it puts all these into one timeline so you can see registry changes, process start ups, reboot times, security event log entries, prefetch creation, and i now even include external firewall entries. Makes pinning down an issue incredibly quick because the validation from multiple independent sources is there in one place.shamhttps://www.blogger.com/profile/11852215857042869903noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-78301084848164778292008-10-15T22:42:00.000-05:002008-10-15T22:42:00.000-05:00Harlan,It was cool to meet you after reading your ...Harlan,<BR/><BR/>It was cool to meet you after reading your works. Enjoyed the discussion on working regXP into a timeline analysis script. <BR/><BR/>I for one am looking forward to you releasing that tool out to the masses. Since I'm still at the SANS event for four more days, I took the time to start writing an Enscript last night.<BR/><BR/>Doug C.cpldbchttps://www.blogger.com/profile/13695724940459604601noreply@blogger.com