tag:blogger.com,1999:blog-9518042.post7662030521566653097..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: IR Immediate ActionsUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-25600793858926797382008-01-17T11:04:00.000-05:002008-01-17T11:04:00.000-05:00LV,Consider what happens when the plug is pulled.....LV,<BR/><BR/>Consider what happens when the plug is pulled...when there is no longer any network connectivity, what happens to the output of netstat?<BR/><BR/>I can think of a great number of cases where network connection info was pertinent, but not available...botnet and intrusion investigations, PCI forensic audits where one of the questions was, "was any data taken?", etc.<BR/><BR/>I've seen cases where port scanning or brute-force attempts to log into SQL have been noticed, and the plug immediately pulled...but no information (remote IP address, etc.) saved.<BR/><BR/>Unfortunately, most folks don't sit down and consider their questions *before* an incident occurs...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-90828891252400846272008-01-17T10:52:00.000-05:002008-01-17T10:52:00.000-05:00Is pulling the network plug an acceptable response...Is pulling the network plug an acceptable response, and then leaving the system running?Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63628889255849886082008-01-14T10:47:00.000-05:002008-01-14T10:47:00.000-05:00Shutting down the system, rebooting, and the other...Shutting down the system, rebooting, and the other steps taken to make you response difficult or futile.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-70640449956069257872008-01-14T05:39:00.000-05:002008-01-14T05:39:00.000-05:00I'm a little curious about which tool comes with s...<I>I'm a little curious about which tool comes with such restrictive licensing requirements.</I><BR/><BR/>According to the license, consultants cannot use Nigilant32. There are others, as well...as I said in the blog, you have to read the license agreement.<BR/><BR/><I>Of course, the balance of your comments may render the point moot</I><BR/><BR/>How so?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-29480801346624844542008-01-13T18:35:00.000-05:002008-01-13T18:35:00.000-05:00I am extremely limited . . . due to the license a...<I>I am extremely limited . . . due to the license agreement associated with that tool.</I><BR/><BR/>I'm a little curious about which tool comes with such restrictive licensing requirements. Your book provides some superb guidance on tools that seem to be freely usable. For a few hundred bucks, you can buy a copy of X-Ways Capture, which you could use in the field. (Vista issues aside, for the moment.) Of course, the balance of your comments may render the point moot :-)Anonymousnoreply@blogger.com