As requested I am putting up a sample of the information I have (it has been sanitized) of some notes I recently took during an investigation. The file is here. In the future when you leave comments if you can let me know who you are I would greatly appreciate it. If you don't feel comfortable leaving your name then just shoot me an email Mark.McKinnon@sbcglobal.net, I like to know who is requesting things and commenting.
I know I have not blogged lately and I am getting some stuff ready to share with everyone so be patient. If anyone has something they want passed along let me know and I will pass it along. You can contact me at the above email address. Make sure you put something in the subject relating to the blog.
Anyone will to share any file hashs that they have built? I have some hashs that I am putting together and will try and get them out within the Month.
Sorry this is short but more will be comming.
Tuesday, February 6, 2007
Posting of Sample Notes
Subscribe to:
Post Comments (Atom)
6 comments:
Very interesting set of notes.
Just out of curiousity, though...do you usually check the contents of the UserAssist key? How about USB devices?
I did not put the full set of my notes out there. As you can tell I left out Info on the Hard Drive and a few other things. Depending on the case is what type of info I would have in there. Some of the things I checked were revelent to the case and I was able to leave them in as just a sample. HTH.
Mark,
Looking at your case notes again, I see a lot of stuff that could easily be automated...stuff that, if automated, wouldn't be forgotten during the next case. Also, someone could run your automation script and it would be as if you were there.
My thoughts are this...what do you think of a forensic preprocessor that will comb through an acquired image (mounted as a read-only drive), automatically extracting data and performing initial correlation?
I think something like this would be extremely useful to seasoned investigators, but would also be a "force multiplier", in that a seasoned investigator could maintain it and give copies to junior investigators.
Other benefits include reliability, verifiability, as well as counter-anti-forensics techniques.
Thoughts?
Harlan,
What I hear you saying is that if I take an image (will have to do a little work up front to get the drives and such) and write a front end using autoit and the sleuthkit it would then do the following:
1. Parse the image and find specific files (event logs, registry, etc..)
2. Analyze those files and store the information I wanted into a database or flat file. This could also prompt for other activities to be done but would require more logic to be put into the system.
3. Page me when it is done (just an added bonus)
4. allow me to give this information to someone else to look at and I can also have the information preformatted.
5. With a little more programming I can also create web page reports that could then be given to soneone else as well.
Did I understand you right? I have always thought that automation was the way to go but to accomplish this you need to have knowledge on what to look for and what you as the investigator want to look for. One problem I sse with this much automation, and with all automation,is that people will rely on the automation and not understand the underlying processes.
Let me know if I totally missed what you said.
Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!
The first misconception that wannabes might invariably have is Hogan could be marginally harder than mountain trekking. If Hogan scarpe donna was the case, Hogan uomo need not have to be stiffer and flexible simultaneously. Add to Hogan scarpe uomo the extra mid-sole cushion to make you forget the heavy thumping downhill running.
Post a Comment