tag:blogger.com,1999:blog-9518042.post7450389310023906210..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Alternative Methods of AnalysisUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-9518042.post-51974534313101664202007-12-05T06:58:00.000-05:002007-12-05T06:58:00.000-05:00However, many of us are willing to learn, but depe...<I>However, many of us are willing to learn, but depend on others to provide resources.</I><BR/><BR/>I can completely understand that, Jimmy, but I have to admit, I don't see a great deal of questions along these lines. I monitor a couple of lists and forums, and accept direct emails, and I don't see much in the way of questions about Event Logs. In fact, I haven't seen any.<BR/><BR/><I>...there hasn't been a effort to develop some training in this aspect of forensics. </I><BR/><BR/>Puh-lease don't say that it's a case of "someone didn't tell us this was important"! ;-) <BR/><BR/>But seriously...who would sign up for the training. One of the biggest issues I've seen is that while I've got the material and would be more than happy to provide the training, it is extremely difficult to break even, revenue-wise.<BR/><BR/>However, I do see the direction you're going. The biggest issue is that for someone to provide that kind of material...descriptions of what the Event Log (Win2K3 and Vista) <I>can</I> provide...it's going to require some considerable resources.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63913383397154730002007-12-04T22:28:00.000-05:002007-12-04T22:28:00.000-05:00I agree. However, many of us are willing to learn...I agree. However, many of us are willing to learn, but depend on others to provide resources. "Log File Forensics." A book? A four-hour course? An entire program could revolve around Vista log analysis. <BR/><BR/>The logs can be a valuable source of information, but I don't think that, <I>most likely consider it too time consuming an endeavor</I>. I do think that many don't realize the value of the logs, because, in part, there hasn't been a effort to develop some training in this aspect of forensics. Those of us who focus on image analysis of single machines may need some examples of what the logs can provide.<BR/><BR/>I have checked out EventID.net and found it very helpful. At least there's a source to explain the events in a friendly format. Recognizing which events warrant study is the key.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66689114767682738972007-12-04T18:33:00.000-05:002007-12-04T18:33:00.000-05:00A reference on activities/events that are logged m...<I>A reference on activities/events that are logged may be more important. That may be overly broad, but I'd guess that many folks are unaware of the value of logs because they don't know what can be found.</I><BR/><BR/>It all comes back to knowledge, and a willingness to develop and learn.<BR/><BR/><I>Event logs may not be essential to many cases that LE typically work, but perhaps their value is under estimated (sic).</I><BR/><BR/>I think that in many cases, the Event Logs are simply not considered as a source of valuable information, and b/c they aren't examined or analyzed regularly, most likely consider it too time consuming an endeavor anyway.<BR/><BR/><I>Most training programs only touch upon logs superficially.</I><BR/><BR/>That's unfortunate. I did some work not to long ago, and the <B>only</B> source of data to answer a question was the Event Logs.<BR/><BR/>Event Log analysis goes, at least in part, hand-in-hand with Registry analysis. The Security Registry hive file will tell you what the audit policy was on the system, as well as when it was modified. The System hive file will give you info regarding the size and retention of the Event Log files.<BR/><BR/>Because Event Log analysis isn't being performed regularly now, it is likely that the potential value of the Vista Event Logs will be lost entirely.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-4714426198501392912007-12-04T18:11:00.000-05:002007-12-04T18:11:00.000-05:00I haven't had a chance to check out the web sites ...I haven't had a chance to check out the web sites you cited as references on event IDs, but that's largely what I had in mind. (I didn't want to ignore your question.) A reference on activities/events that are logged may be more important. That may be overly broad, but I'd guess that many folks are unaware of the value of logs because they don't know what can be found. Event logs may not be essential to many cases that LE typically work, but perhaps their value is under estimated. Most training programs only touch upon logs superficially.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-22677478216593893872007-12-03T05:38:00.000-05:002007-12-03T05:38:00.000-05:00Jimmy,I think that a paper or guide on event logs ...Jimmy,<BR/><BR/><I>I think that a paper or guide on event logs would help many of us...</I><BR/><BR/>What suggestions would you have toward modifying or updating the material in my book?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-59385423990707382642007-12-02T22:16:00.000-05:002007-12-02T22:16:00.000-05:00Any thoughts on how to improve any of those would ...<I>Any thoughts on how to improve any of those would be greatly appreciated.</I><BR/><BR/>I think that a paper or guide on event logs would help many of us, who may not routinely review this data. Something like your registry spreadsheet comes to mind, if there can be a straightforward reference. Vista, of course, expands the value of these logs, so they may be more important than before.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1066403567365654782007-11-22T08:17:00.000-05:002007-11-22T08:17:00.000-05:00Jimmy,Thanks. I agree that collecting volatile da...Jimmy,<BR/><BR/>Thanks. I agree that collecting volatile data isn't always possible or practical...even in the non-LEO world. There are many times when the system has been taken offline, scanned, rebooted (several times), etc. Live acquisitions turn out to be more common for me, it seems...the system cannot be taken down, there is no write-blocker for the hard drives, etc.<BR/><BR/>I've always had an issue with arguments that included "a competent defense attorney would tear that apart"...largely b/c a competent prosecutor would ensure that the case did not hinge on a single piece of "evidence".<BR/><BR/><I>Your blog, help, and writings advance that goal.</I><BR/><BR/>Any thoughts on how to improve any of those would be greatly appreciated.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65752949597458532302007-11-21T22:40:00.000-05:002007-11-21T22:40:00.000-05:00I agree that live acquisition can be essential in ...I agree that live acquisition can be essential in some cases, but it's not going to happen in the vast majority of LE investigations. The philosophy envisions a trained examiner being on the scene of every search in which a computer may be running. <BR/><BR/>The hypothetical Q&A in the article simply brings home what happens during every moderately astute cross examination. It's exaggerated. You can't prove a negative conclusively in most instances. You and I could easily construct some similar Q&As to attack an examiner who did a proper live acquisition: <BR/><BR/><I>Defense Attorney: So, when you ran your live acquisition tool, you overwrote some memory that contained another person's confession.</I><BR/><BR/>The article has merit, but is idealistic in today's world. Tomorrow, it may be realistic.<BR/><BR/>Using best practices best defends the trojan defense. Still, what do you say when asked whether a root kit might have existed at one time? All the "possibility" questions may not achieve their advocate's intent if he or she doesn't present some proof that Bug X existed. I've been there, and a competent trial attorney will recap the case and emphasize testimony and fact over speculation. You may recall a recent post on a well respected forum that failed to produce any findings of any malware ever having downloaded child pornography to a system. The problem, however, is what would you say, if I asked you whether it is possible? <BR/><BR/>As you said, "greater knowledge" is the key. Your blog, help, and writings advance that goal.Anonymousnoreply@blogger.com