Nick,
> My initial inctrl and regmon work on the open and close of the gui raised some odd results and I need to work through them before writing it up.
Agreed. I don't remember seeing any Regmon capture data that would tie the deletion of the TV* Registry key to a specific process.
Harlan
Hey Harlen; yeah that USB TV key change is a little wierd. helix.exe triggered a large number of events in regmon, I just need to work through it and try to figure whats going on of relevance.
As I'm a 'bear of very little brain' I may be back for some help in interpreting.
Nick
JSawyer,
> Simply look at the memory fingerprint of "cmd.exe" vs "helix.exe"!Exactly my point. If you can document the impact that something has on a system, and can explain the artifacts (permanent or temporary), then what's the issue?
Yes, documenting what you mucked up is key but I am pointing to the fact that most GUI's use more memory which means they overwrite more evidence. For me, the key to doing live response is documenting and reducing the amount of evidence overwritten while gaining volatile data for the case. We don't disagree that it needs to be documented. I think my point of limiting how much is overwritten by using less memory intensive tools was missed.
I am a big WFT fan so I will probably take that one on even though it is probably the noisiest of all tools. Luckily, I work for a university and don't have to worry too much about the noise it causes. Pencil me in for WFT. I will probably take on the memory imaging via dd since that is another big interest of mine.
The more I think about it, the more I am likely to do the test with a clean install of XP, fully patched and freshly booted with all tools running. That way, there is less chance of an external process making changes to the system and any changes seen by InstallWatch/InCtrl can be correlated and identified by Regmon/Filemon.
-jhs
Task allocation
nickfx - Helix 1.7 startup and shutdown procedure.
hogfly - FRED
fatrabbit - Integrated image locator
jsawyer - WFT
From now on if there are any updates to task allocation I'll just edit this post.
jsawyer,
> I think my point of limiting how much is overwritten by using less memory intensive tools was missed.
Not at all…I agree with you, to an extent. However, what I don't see is anything documenting the fact that GUI tools use more memory than CLI tools.
My impression is that this is more commonly understood urban legend than an actual documented fact.
I prefer to use CLI tools simply for the fact that the output is easily piped over a socket; this isn't something you can do with your run-of-the-mill GUI tool.
GUI tools do import more functions to support the GUI widgets, etc., but for the most part, the necessary DLLs are already loaded into memory.
I haven't looked into it in any detail, because for me it really hasn't been an issue. Keep in mind that any software tool run on a live system is going to consume memory…depending upon the nature of the program, it will consume both physical memory (RAM) as well as space in the pagefile. Will evidence be overwritten as a result of this? Perhaps. Does loading and executing dd.exe to capture the contents of physical memory overwrite evidence? Perhaps…but what? How do we know? I have yet to see an instance in which running dd.exe, for example, clears the clipboard contents. Running one program does not necessarily cause a currently running process to be halted…it may require that pages be moved from memory to the page file, but is that necessarily overwriting evidence?
Food for thought, perhaps.
Harlan
Thanks Fatrabbit
Nick
The latest version of Helix 1.7, March 7, 2006 has been released and is available for downloading. Some of the tools have been updated, others have been added, the Linux 2.6.14 kernel is being used, and the hardware detection process has been improved. For a complete list of changes, see the changelog at http//
Helix is available from http//
There has also been a significant update to the manual, which is include on the CD, but can also be downloaded from http//
Great thanks, I'll have to check the testing I've been doing to the start up process though in the new version - great!
Nick
Just aquired new improved version of Helix and WOW.. what a improvement over the one I tested back in October 2005.
Learning all I can.. will post any interesting findings.