Hogfly,
You know, you're probably right…I didn't cover that quite enough in the first book. The reason for that brings up an entirely different area of discussion regarding "forensically sound" processes.
I'll go ahead and start another thread on that topic, but what I'm getting at here is that forensics purists will say that there a "forensically sound" process on a live system is impossible. Even if the tools themselves do not write to the hard drive, changes will occur to the system simply because it's still live. At that point, what constitutes "forensically sound"?
I'd like to ask that those interested pursue this thread here, and I'll go start a thread regarding forensically sound processes…
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
I hate to hijack your thread but….
I was trying to run a few scripts (like mdmscan.pl and sniffscan.pl) that i discovered needed a file generated by wksdump.pl. I was under the impression that wksdump.pl could only be used in a domain. I had already read Appendix A and was able to install modules, but I could not get rasadmin.ppd installed.
Would you recommend I install most (or all) of the modules mentioned in the book first before continuing?
Brian
From my perspective, the first book lacked one of the things that you talk about quite a bit. The process. It is not so much the tools used, but the process that gets held under a microscope. I'd like to see a focus on responding to and handling windows OS based incidents that covers process and procedures that will hold up under scrutiny. I'd like to see this from start to finish.
As a newbie to the field (actually I am not even in the field yet), I would have to agree- the process would be very helpful.
Harlan
I haven't had too much time to read through your book yet (it's my spare time project for the next few weeks), but I agree with the previous responders that sample files & exercises would be very useful.
I would also find it useful if there was information covering instant messengers such as AOL and Yahoo since they are so commonly used these days. Also spool files.
Have you considered delivering an "online course" as backup to the book - say providing a number of exercises for each section, providing support and marking them ?
Neil
Neil,
Have you considered delivering an "online course" as backup to the book - say providing a number of exercises for each section, providing support and marking them ?
Yes, I have. I don't think that finding web space for them would be difficult, but what would I do outside of posting them?
Another concern would be other obligations…putting exercises together, particularly several for each section (assuming increasing the difficulty, etc.), is time consuming. At this point, there's no financial outcome from the effort, since the book is already published. The frequency of the exercises would be reduced by activities that provided renumeration, such as writing articles, teaching courses, etc. I would not reduce the quality of the exercises simply to meet a schedule.
Another issue is feedback for the exercises. Do I simply post them, or do I have some kind of notification of the best or top responses?
Remember, the HoneyNet SotM challengers are hosted by a team of individuals. Compare those in difficulty, frequency, and quality to those from sites like CounterHack.net and the ISC handler who's posted malware analysis challenges.
Thoughts?
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
I've also thought about including challenges, with the results encrypted on the CD with PGP. That way, I could either have the reader email me for the key, or "hide" the key someplace on the CD.
Mr. Carvey
I'm concerned that a few months or years down the line the "email" would be changed, or something else would prevent future readers from unlocking the results. How about the "russian dolls" approach. There would be a unique fact in the case that the user would have to find in order to unlock the results, or start the next challenge. For example, what is the alarm code for Jimmy Jungle's garage? (taken from http//
In addition, I would also like to see some more books focusing on a step-by-step process. I like the new book, Real Digital Forensics Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, Curtis W. Rose, because it walks you thru many cases and many different configurations.
Too many books are too much theory and not enough hands-on this is how to do it. I think for many people, the first step to digital forensics is too high - all this theory, but no real step by step starting points.
For live incident training, providing a vmware image of a system (windows would be nice but complex licenses issues, so linux might do) that the reader could try live analysis on.
Finally, providing the reader with a public domain or open source toolkit, such as Helix or Penguin Slueth, so they would have the tools availabel, rather than trying to hunt them down from numerous websites.
bj
p.s. thanks for all of your great forensics work… I've learned a lot from it…
bjgleas,
Thanks for your comments, and I do appreciate the issues you raise. These are all things I've had to consider.
Finally, providing the reader with a public domain or open source toolkit…
The approach I generally take, particularly with regards to live response on Windows systems, is that booting to a Linux distribution is not the answer…all the data you'd want to collect is then gone. As far as providing the tools on the CD/DVD, there are huge issues with regards to licensing fees, etc. Just an FYI…
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com