I'm looking to expand some of my materials, so I'd like to get input from folks regarding incidents/events you've seen, particularly those related to Windows systems.
Please avoid the generic KP/CP stuff, and please be as specific as possible.
As I start getting responses, I'll put together scenarios that can be used in online challenges and training, and post them (along with materials, as appropriate).
Thanks,
H
Wow. Nothing. Well, guess I shouldn't be surprised…
Been trying to figure out how to reply with enough detail without publishing things I'm suppossed to keep confidential. Are you looking for sticky technical problems or for unusual examinations, i.e. a one of a kind crime or civil matter?
Bill
Bill,
Mostly sticky examples. I've got several available that I use now, but I'm looking to expand. I've taught IR courses for Windows both on my own, and for my current employer, for a while now, and the core exercises have always worked well for me, but I'm trying to explore new things, moving toward functional training.
Even something general with enough detail that I could expand on or fill in the gaps would be helpful.
I've got some really "sticky" PoC things that no one would ever figure out and work best as demos…
I sent you a few via pm.
Greg,
Thanks, I'll check them out.
As you sent them via PM, does that indicate that you don't want the scenario shared at large?
I'd be happy to help out but since I'm a relative newcomer to this arena, every case I have is "sticky" D
I explained it in the private message.
Greg,
Thanks. Most of the stuff that I could use from what you sent me, I already have (references to Restore points, Recycle Bin, etc.). I do appreciate your time.
Harlan
In a few cases where analysis of the machine has drawn blanks (due to use of Evidence eliminator type tools, I have resort to analysing the Desktop firewall log files, and ISP proxy logs which helped reveal the sites that certain content in question was posted to, the date, time & the user (as logged on to the local PC), this was helpful in gaining an 'acknowledgement of guilt' by the concerned persons.
Additionally in 'information leakage' type cases, using embeded transparent gifs (via hidden URL) has helped identify the people/machines that accessed the confidential file in question (as access to the URL was logged by both internal and external webserver) & also helped determine it's distribution. Not exact science but proved helpful in 2 cases, in at least identify the sources or the leakage. Alot can be done in these sort of scenarios to at least focus in on possible suspects.
I have many others though their probably not unique scenarios.
Good luck.