tag:blogger.com,1999:blog-9518042.post8320936872868558402..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: There are Four Lights: Program ExecutionUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9518042.post-69004136673609112162013-03-22T06:12:10.431-05:002013-03-22T06:12:10.431-05:00Ken,
Interesting comment, thanks. I DM'd you...Ken,<br /><br />Interesting comment, thanks. I DM'd you on Twitter with a question...sorry, I don't have an email address for you...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-28693442505359006842013-03-22T02:39:59.161-05:002013-03-22T02:39:59.161-05:00Sorry for the delayed reply. My shifts are a littl...Sorry for the delayed reply. My shifts are a little crazy this week.<br /><br />I ran the appcompatcache.pl plugin against the System hive and found more evidence of several programs I was interested in being run. I'm still going through all the output, but RR with this plugin definitely provided useful information.<br />KPKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26606309483670462912013-03-20T17:43:30.879-05:002013-03-20T17:43:30.879-05:00Ken,
Thanks for the comment.
So, you were able t...Ken,<br /><br />Thanks for the comment.<br /><br />So, you were able to run the RegRipper UserAssist plugin against the NTUSER.DAT? How about the appcompatcache.pl plugin against the System hive?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43092939293763492672013-03-19T22:33:33.238-05:002013-03-19T22:33:33.238-05:00Certainly! First, it was just helpful as I don'...Certainly! First, it was just helpful as I don't work a lot of cases that require determining program execution and so on. Most of my cases are CP related and are basically a case of find the porn and if possible try to figure out how it got there if possible. That's often accomplished with a timeline and not much else.<br /><br />So, it was an exciting thing for me to hear my most recent case had nothing to do with CP, but rather the intrusion to a 2008 server. I discovered WinRAR, some hacking tools, 3 different web browsers and a bulk email program in a couple of the user downloads and desktop folders. I wanted to determine whether or not any of those things had been used by the intruders. That wasn't too difficult for the browsers, as there was significant web history for each browser. I needed to see if the other items had been run or if the intrusion had been discovered in time to interrupt the bad guys. I found evidence of them all being run in the registry (user assist).<br />I haven't finished looking at everything yet. I plan to check the AppCompatCache when I go back in to the office.<br /><br />KP<br />Ken Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-47138515161233697572013-03-19T16:15:22.199-05:002013-03-19T16:15:22.199-05:00Ken,
Can you elaborate on how this information wa...Ken,<br /><br />Can you elaborate on how this information was useful to you?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-48379121962527085042013-03-19T01:46:18.923-05:002013-03-19T01:46:18.923-05:00Great summary. Thank you.
I would add AV logs tha...Great summary. Thank you. <br />I would add AV logs that can be useful too.Thierry_Frnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-49675726535986279652013-03-18T23:22:51.416-05:002013-03-18T23:22:51.416-05:00Great information and very timely for me. I'm ...Great information and very timely for me. I'm working a case with a Windows 2008 Terminal Server. I appreciate this post, as I believe it will help me answer some questions I still need to answer.<br />KPKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.com